AUTHENTICATED , 
US. GOVERNMENT 
INFORMATION ^ 


[HA.S.C. No. 112-92] 


INDUSTRY PERSPECTIVES ON ACHIEVING 
AUDIT READINESS 


HEAKING 

BEFORE THE 

PANEL ON DEFENSE FINANCIAL MANAGEMENT 
AND AUDITABILITY REFORM 

OF THE 

COMMITTEE ON ARMED SERVICES 
HOUSE OF REPRESENTATIVES 

ONE HUNDRED TWELFTH CONGRESS 

FIRST SESSION 


HEARING HELD 
NOVEMBER 17, 2011 



U.S. GOVERNMENT PRINTING OFFICE 
72-416 WASHINGTON : 2012 


For sale by the Superintendent of Documents, U.S. Government Printing Office, 
http://bookstore.gpo.gov. For more information, contact the GPO Customer Contact Center, 

U.S. Government Printing Office. Phone 202-512-1800, or 866-512-1800 (toll-free). E-mail, gpo@custhelp.com. 


PANEL ON DEFENSE FINANCIAL MANAGEMENT 
AND AUDITABILITY REFORM 

K. MICHAEL CONAWAY, Texas, Chairman 
SCOTT RIGELL, Virginia ROBERT ANDREWS, New Jersey 

STEVEN PALAZZO, Mississippi JOE COURTNEY, Connecticut 

TODD YOUNG, Indiana TIM RYAN, Ohio 

Paul Foderaro, Professional Staff Member 
William Johnson, Professional Staff Member 
Lauren Hauhn, Researeh Assistant 


(II) 



CONTENTS 


CHRONOLOGICAL LIST OF HEARINGS 
2011 

Page 

Hearing: 

Thursday, November 17, 2011, Industry Perspectives on Achieving Audit 
Readiness 1 

Appendk: 

Thursday, November 17, 2011 21 


THURSDAY, NOVEMBER 17, 2011 
INDUSTRY PERSPECTIVES ON ACHIEVING AUDIT READINESS 

STATEMENTS PRESENTED BY MEMBERS OF CONGRESS 

Andrews, Hon. Robert, a Representative from New Jersey, Ranking Member, 

Panel on Defense Financial Management and Auditability Reform 2 

Conaway, Hon. K. Michael, a Representative from Texas, Chairman, Panel 
on Defense Financial Management and Auditability Reform 1 

WITNESSES 

Boutelle, Joann, Partner, Deloitte and Touche LLP 3 

Keeley, Mark, Partner, PricewaterhouseCoopers LLP 7 

Porter, Tracy, Partner, Grant Thornton LLP 5 

APPENDK 

Prepared Statements: 

Boutelle, Joann 27 

Conaway, Hon. K. Michael 25 

Keeley, Mark 49 

Porter, Tracy 37 

Documents Submitted for the Record: 

“DOD Audit Readiness Essentials,” Submitted by Mark Keeley 61 

Witness Responses to Questions Asked During the Hearing: 

[There were no Questions submitted during the hearing.] 

Questions Submitted by Members Post Hearing: 

[There were no Questions submitted post hearing.] 


(Ill) 




INDUSTRY PERSPECTIVES ON ACHIEVING AUDIT 
READINESS 


House of Representatives, 

Committee on Armed Services, 

Panel on Defense Financial Management and 

Auditability Reform, 

Washington, DC, Thursday, November 17, 2011. 

The panel met, pursuant to call, at 8:00 a.m. in room 2212, Ray- 
burn House Office Building, Hon. K. Michael Conaway (chairman 
of the panel) presiding. 

OPENING STATEMENT OF HON. K. MICHAEL CONAWAY, A REP- 
RESENTATIVE FROM TEXAS, CHAIRMAN, PANEL ON DE- 
FENSE MANAGEMENT AND AUDITABILITY CONTROL 

Mr. Conaway. Thanks to everyone for being here at our last 
Panel on Defense meeting for the month of November. I would like 
to welcome our witnesses this morning to bring us industry’s per- 
spective on audit readiness. 

Over the past 4 months we have heard from a variety of wit- 
nesses within Government, including representatives from the of- 
fice of OSD [Office of the Secretary of Defense] and military depart- 
ment comptrollers; the Department of Defense functional commu- 
nities; department Office of Inspector General; and the GAO [Gov- 
ernment Accountability Office] on the challenges that the Depart- 
ment faces in achieving audit readiness and its efforts to resolve 
these issues. 

Today, as the Panel nears the completion of its work, we turn to 
accounting firms that have experience out of the private sector, as 
well as within Government, to get their views on the impediments 
to DOD [Department of Defense] achieving auditability and the ac- 
tions needed to address these challenges. 

In addition to having experience performing work at various 
other entities, these firms are involved in almost every aspect of 
the Department’s financial improvement and audit readiness ef- 
forts, ranging from assisting DOD components in implementing the 
FIAR [Financial Improvement and Audit Readiness] strategy, to 
assisting the Office of the Under Secretary of Defense, Comptroller, 
in performing its review of DOD’s components’ progress, and actu- 
ally performing certain audits themselves. 

Therefore, they can provide a well-informed point of view on the 
problems facing DOD as it works toward achieving auditability on 
the statement of budgetary resources by 2014 and full financial 
statements by 2017. 

Some of the challenges have been identified to date, including 
sustaining leadership and effective oversight, ensuring workforce 

( 1 ) 



2 


competency and implementing the ERPs [Enterprise Resource 
Planning], solving longstanding internal control weaknesses, and 
managing organizational challenges associated with having a large 
and complex organization such as DOD. 

The witnesses here today may or may not consider all these 
issues as impediments to improving financial management and 
audit readiness, or they may have slightly different take on the 
issues, or they may identify other challenges altogether. 

Most significantly, they may be able to provide alternative op- 
tions on how to overcome these weaknesses. 

I look forward to hearing their testimony. I would now like to in- 
troduce our witnesses. We have got Ms. JoAnn Boutelle, partner 
with Deloitte and Touche; Ms. Tracy Porter, partner with Grant 
Thornton; and Mr. Mark Keeley, partner with 
PricewaterhouseCoopers. 

Now I would like to turn to Rob Andrews for any opening state- 
ment he would like to make. 

[The prepared statement of Mr. Conaway can be found in the Ap- 
pendix on page 25.] 

STATEMENT OF HON. ROBERT ANDREWS, A REPRESENTATIVE 

FROM NEW JERSEY, RANKING MEMBER, PANEL ON DE- 
FENSE FINANCIAL MANAGEMENT AND AUDITABILITY CON- 
TROL 

Mr. Andrews. Well, good morning. Chairman. 

Good morning, ladies and gentlemen. I am glad to have you with 
us. 

I will repeat something I have said as we have gone forward in 
this process; that we are on the verge of making very consequential 
decisions about the defense budget, either by default, through the 
sequestration process, or through a more deliberative mechanism 
through the Special Committee. But one way or another there is 
big decisions ahead. 

And one thing I think that we all understand is that bad data 
lead to bad decisions, and bad recordkeeping systems lead to bad 
data. And it is an unfortunate presumption that the present state 
of affairs — because we do not have accurate financial statements 
from the Department of Defense — gives us too much bad data. 

So this whole project is really not about some, you know, meta- 
physical accounting exercise — with all due respect to the chair- 
man — don’t want to insult accountants, but it is about a much larg- 
er and more substantive problem, which is if — that are we going 
to make these very consequential decisions with good information 
or without good information. 

And I am encouraged by much of what I have heard from the De- 
partment of Defense and the Services and the various sub-units of 
the Services that are responsible for making us audit-ready by the 
statutory deadline. 

But that is only half of the equation. I have been looking forward 
to this morning because it is the other half of the equation. We 
have been hearing from the people who are going to be preparing 
to be audited. We are now going to hear from the people who will 
be doing the audits and get your perspective on the audit readiness 
and the steps that stand between us and being totally audit-ready. 



3 


So we are glad that you are here. The spirit of this panel has al- 
ways been to try to take information and use it in the best way 
possible, and we are glad that you are here to give us some of that 
information we can use. 

So thank you, Mr. Chairman. I look forward to the testimony. 

Mr. Conaway. Thanks, Rob. 

Ms. Boutelle, your opening statement? And without objection, all 
your statements will be entered in the record. Your written state- 
ments will be entered in the record. 

STATEMENT OF JOANN BOUTELLE, PARTNER, DELOITTE AND 

TOUCHE LLP 

Ms. Boutelle. Thank you. 

Chairman Conaway, Congressman Andrews and members of the 
Panel, thank you for the opportunity to testify today. 

I have had the unique experience over the last 26 years serving 
in both Government and now industry. Prior to joining Deloitte in 
2004, I worked as the Deputy Chief Financial Officer at DOD and 
before that at the Defense Finance and Accounting Service. 

While serving as the DCFO [Deputy Chief Financial Officer], I 
recognized the managerial challenges caused by issues with the in- 
tegrity of DOD financial data and led efforts to improve financial 
statements, business processes and systems. 

It is from this experience that I offer my perspective on two 
areas which I think are critical to DOD’s achieving auditability; 
first, an increase in sustained leadership commitment and, second, 
a workforce with the applicable financial and technical com- 
petencies. 

I will talk about leadership first. A commitment from DOD lead- 
ership starting at the Secretary’s level is critical to achieve audit 
readiness by 2017. This belief comes from Deloitte’s direct experi- 
ence working with both commercial and Government clients. 

The chief financial officer and the DOD financial management 
community have demonstrated leadership in addressing the tough 
issues of fixing the Department’s business processes and systems. 

However, the business owners must also be held accountable to 
correct deficiencies that impact the Department’s ability to achieve 
their audit goals. Cross-functional ownership at the senior levels 
cannot be forced by the CFO [Chief Financial Officer], who is a 
peer to many of the business leaders. This is a job for the Secretary 
and the Deputy Secretary, with tangible and measurable objectives. 

Secretary Panetta’s recent announcement that he is now person- 
ally involved in driving the Department to achieve audit readiness 
is a major signal that this is a top priority of the Department. 

However, sustained participation from the Secretary and Deputy 
Secretary is critical to reinforcing the message throughout the De- 
partment that auditability is a top priority. Let me provide an ex- 
ample where a director of an agency became personally involved in 
achieving auditability. The Defense Information Systems Agency, 
or DISA, started on a journey in 2005 to obtain an audit opinion 
on its financial statements. The DISA director and others in leader- 
ship became personally involved and actively drove the audit readi- 
ness efforts, and recently DISA successfully completed an audit of 
their working capital fund. 



4 


The ongoing involvement of the DISA director was a major factor 
in their success. 

Deloitte has seen similar examples in recent years on the com- 
mercial side where corporate CEOs [Chief Executive Officers] and 
COOs [Chief Operating Officers] aggressively led the implementa- 
tion of the Sarbanes-Oxley Act. These organizations quickly 
learned that success required the full engagement of senior execu- 
tives, not only in finance, but in the business units. 

A similar pattern of sustained leadership engagement is critical 
to the Department’s ability to meet its aggressive audit readiness 
time lines. 

Now let me address the second critical area for success: The need 
to improve the competencies of the DOD workforce. Workforce de- 
velopment relating to financial management within the DOD 
should include three areas. 

Eirst, there are the people who are directly involved in the prepa- 
ration of the Department’s financial statements. There should be 
an increased effort to hire CPAs [Certified Public Accountants] into 
these key positions and also to incentivize current qualified em- 
ployees to take the CPA exam. 

Second, there are those nonfinancial managers who in the course 
of their daily jobs conduct activities that result in a financial trans- 
action. Not all of these people need to be trained accountants, but 
they need to be trained to understand their role in financial man- 
agement and why controls and timely processing of financial trans- 
actions are important to the integrity of the financial data. 

Third, there are those financial managers in DOD who are di- 
rectly involved in the financial statement audit and audit readiness 
process. 

Leading these efforts requires CPAs with experience in complex 
financial statement audits. Getting to the first audit opinion is the 
most difficult step, and meeting the need for experienced audit pro- 
fessionals is critical to help DOD focus their resources most effec- 
tively. 

The DOD does not have a sufficient number of CPAs with this 
experience. Since coming to Deloitte and working directly with sea- 
soned audit practitioners, I have come to appreciate the difference 
between knowing how the Department processes and accounts for 
financial and budgetary transactions and knowing how to audit 
these transactions. DOD needs to recognize this difference. 

In conclusion, DOD and its industry partners share the same 
goal — for DOD to achieve an unqualified audit opinion and for 
them to meet their deadlines. 

I want to thank the Panel for holding these important hearings 
on defense financial management and for your laser-focused atten- 
tion on this very important issue. 

I look forward to your questions. 

[The prepared statement of Ms. Boutelle can be found in the Ap- 
pendix on page 27.] 

Mr. Conaway. Thank you, Ms. Boutelle. 

Ms. Porter. 



5 


STATEMENT OF TRACY PORTER, PARTNER, GRANT 
THORNTON LLP 

Ms. Porter. Chairman Conaway, Ranking Member Andrews and 
distinguished members of the Panel, good morning and thank you 
for inviting me to testify today. I am pleased to be able to share 
with you my perspective on the impediments to DOD achieving 
audit readiness and the actions DOD needs to take to become 
audit-ready. 

As you know. Grant Thornton was recently retained to perform 
the audit of the statement of budgetary resources of the United 
States Marine Corps. The results of that audit aren’t the subject 
of my testimony today. 

Instead, my views have been formed through years of conducting 
audits and audit readiness engagements for the Federal Govern- 
ment. 

I know, for some, audit readiness at DOD may seem like a strug- 
gle that will not soon be won. But I have seen significant changes 
in recent past included a much stronger focus on improving finan- 
cial management and not simply because of the audit. 

Instead, there is a strong and sincere desire at DOD to give de- 
fense managers and warfighters better financial information with 
which to make their business decisions. 

Improving financial management is the ultimate goal of auditing 
the financial statements. But the road to an unqualified opinion is 
often rocky. Too often organizations and their stakeholders have 
unrealistic expectations about the results of early audits. 

Some of the expectations may derive from the term “audit readi- 
ness.” When laymen hear the term “audit readiness” they may as- 
sume it means an organization is likely to obtain an unqualified 
opinion on its financial statements. It often means, however, that 
the organization simply has enough evidence ready to subject to 
the scrutiny of auditors, even though the result may be a qualified 
opinion or even a disclaimer. 

The past has shown that receiving a qualified opinion or dis- 
claimer is often the first step most Federal agencies have had to 
take before they really understand where the focus of their audit 
remediation efforts need to be. 

Like almost every action DOD takes, its audit will be the single 
largest audit every undertaken. In addition to large, the audit will 
be complex because DOD’s operations span our Nation’s history, 
while the focus on audit readiness is relatively recent. 

Unlike most companies undergoing an audit for the first time, 
DOD isn’t audit-ready. The difference between the initial audit 
readiness of DOD and most large companies stem from the drive 
for profit. The profit drive ingrains in private sector personnel that 
without financial managers’ input to keep business decisions, they 
don’t have adequate understanding of the availability of resources 
to carry out their operations. That nature hasn’t been part of the 
Government’s way of doing business. They just assume the funding 
will come. 

While changing today’s past practices are slow, the financial 
statements still reflect transactions from the past. So often obtain- 
ing that clean opinion for the first few years is unrealistic. Just as 
expectations of audit readiness should be managed, it should also 



6 


be ensured that realistic deadlines are imposed. In a publicly trad- 
ed company, auditors are in an organization every quarter and 
then they have 90 days at the end of the fiscal year to complete 
the financial statement audit. 

Within the Federal Government, agencies have up to 45 days 
after the end of the year to complete and submit their audited 
statements to 0MB [Office of Management and Budget]. In my 
view, it is simply impractical to subject an organization as complex 
as DOD to this unreasonable deadline for the first few years that 
they are subjected to the audit, especially when the publicly traded 
counterparts that are smaller and less complex have twice as long 
to accomplish the same tasks. 

Another challenge is DOD’s reliance on a complex web of service 
providers. Service providers perform financial management func- 
tions such as transaction processing and systems maintenance. In 
carrying out the functions, DOD agencies assume the service pro- 
viders have proper internal controls, while service providers rightly 
assume that the policies and procedures are residing within the 
agencies. 

An effective manner for DOD to actually gain that assurance, in- 
stead of having to assume, is to have the service provider’s internal 
controls audited by an independent party. But it might surprise the 
Panel members to know that DOD service providers aren’t sub- 
jected to that audit, like the service providers in other agencies. 

In addition, DOD agencies and service providers need a detailed 
agreement that documents what the service providers are supposed 
to do for the agencies. That lack of agreement results in poor con- 
trols and injects risk in every transaction. 

Internal controls within DOD agencies themselves are also weak, 
and it is another challenge that they face. The organization as 
large and complex as DOD, they need a uniform approach to inter- 
nal controls that would greatly enhance their financial manage- 
ment. The DOD controls environment is often far from standard, 
resulting in a decentralized, ineffective financial management envi- 
ronment. Without a uniform approach, it is difficult to share and 
adopt lessons learned in all DOD agencies and service providers. 

The 2,200-plus business systems that DOD relies on to perform 
its financial management is another challenge. This would be dif- 
ficult enough were such systems under some standardization. Un- 
fortunately, consistent policies on data processing and management 
are not in place. 

In my view, there are situations where DOD should not go back 
and undo the sins of the past. When a proper justification can be 
made, certain old transactions recorded in a financial system would 
far outweigh their benefits. But standards and policies and proce- 
dures need to be in place to govern systems and the data that they 
maintain for current and future transactions. 

Human capital is another major challenge throughout the Fed- 
eral Government. The chain of command in the defense community 
adds complexity to that challenge. Financial management officials 
at headquarters often have no indirect or no authority over the fi- 
nancial management officials in the field. In addition, those field 
managers have more loyalty to their commanders than to the head- 
quarters-level staff. This lack of financial management chain-of- 



7 


command makes it difficult to apply consistent financial manage- 
ment policies and procedures. 

I have discussed the challenges to audit readiness asrequested. 
And though they are many, the talent and energy being invested 
by DOD in improved financial management is unprecedented. With 
DOD’s continued leadership and attention, and the support and 
pressure applied by panels such as this one, I am sure we will be 
soon be reminiscing about just how steep the climb was at one 
time. 

That concludes my opening statement. I would be happy to take 
any questions. 

[The prepared statement of Ms. Porter can be found in the Ap- 
pendix on page 37.] 

Mr. Conaway. Thank you, Ms. Porter. 

Mr. Keeley. 

STATEMENT OF MARK KEELEY, PARTNER, 
PRICEWATERHOUSECOOPERS LLP 

Mr. Keeley. Chairman Conaway, Ranking Member Andrews and 
members of the Panel, it is a pleasure to be here today to share 
my perspectives about the impediments to the Department of De- 
fense achieving audit readiness and the actions the DOD needs to 
take to become audit-ready. 

My own audit readiness perspectives come from 27 years of pub- 
lic accounting experience as a licensed CPA, including 20 years in 
the private sector and 7 years working here with the DOD. My ex- 
perience is primarily in information systems auditing, but I will 
also offer an informed opinion today to the extent that I am able 
on broad audit readiness matters within the DOD. 

The firm in which I am a partner, PricewaterhouseCoopers LLP, 
has performed first-time audits of several Federal Government de- 
partments and DOD entities, including the financial statement 
audit of the United States Army Corps of Engineers-Civil Works; 
the financial statement audit of an intelligence community agency; 
and the service organization audit of the Defense Information Sys- 
tems Agency. 

In addition, PwC [PricewaterhouseCoopers LLP] has been pro- 
viding audit readiness advice to the Office of the Under Secretary 
of Defense Comptroller, Financial Improvement and Audit Readi- 
ness Directorate, FIAR, for the past 3 years. In this capacity, I 
have assisted with the development and implementation of the 
FIAR guidance and helped develop and teach the FIAR Direc- 
torate’s 3-day audit readiness professional development course to 
over 1,000 DOD professionals, including financial leaders. 

Most recently, I signed the unqualified examination opinion on 
the successful audit readiness of the Air Force fund balance with 
Treasury reconciliation process. 

As I was preparing my testimony today, I happened to visit the 
Department of Energy. The lobby of the Department headquarters 
contains a prominent display about the Manhattan Project and the 
role of Albert Einstein. The display reminded me of a quotation by 
Albert Einstein that is relevant to today’s topic: “We cannot solve 
the problems by using the same kind of thinking we used when we 
created the problems.” 



8 


The DOD did not intend to create the audit readiness challenges 
it has today. Rather, the DOD developed and implemented proc- 
esses and systems tailored to achieve its overall functional mission. 
Audit-readiness then became an imperative. Because of DOD’s in- 
cumbent processes and systems were not originally designed to 
meet audit readiness, a new kind of thinking will be required for 
the DOD to address the requirements of an audit-ready organiza- 
tion. 

Since the CFO Act was passed in 1990, one of the most signifi- 
cant changes in audit readiness thinking that has already occurred 
in the DOD is the development and implementation of a financial 
improvement and audit readiness strategy. Rather than attempt to 
audit an entire component all at once, the strategy prioritizes fi- 
nancial improvement work into manageable waves of audit activity 
such as the statement of budgetary resources. 

The work ethic of DOD personnel is strong and the DOD can ac- 
complish any goal that it sets for itself The 60-day SBR [statement 
of budgetary resources] plans that are currently being developed by 
each component will soon provide detailed blueprints for how the 
DOD will meet the latest audit readiness deadlines. 

Based on PwC’s experience, the DOD should continue to improve 
its financial management and audit readiness efforts in three ways. 
First, enhance the skills of personnel resources through the addi- 
tion of certified public accountants who have financial statement 
audit experience, and also continue to implement the Secretary of 
Defense Comptroller’s financial improvement and audit readiness 
professional development program, as well as the financial man- 
agement certification program. 

Number two — ensure that functional leaders and financial lead- 
ers throughout the DOD, including the leaders of components, as 
well as shared service organizations, are held equally accountable 
for audit readiness. Third, ensure legacy or ERP systems are con- 
figured to report data in the financial statements as prescribed by 
generally accepted accounting principles, or GAAP. 

I would be pleased to expand further on these three mains areas 
during the question and answer period, and I thank you again for 
the opportunity to share my perspectives. 

[The prepared statement of Mr. Keeley can be found in the Ap- 
pendix on page 49.] 

Mr. Conaway. Well, thank you very much. It does occur to me 
that this may be one of the few times we have five CPAs — there 
may be some in the audience as well. Any CPAs in the audience? 
Wow — seven. Steve and I are CPAs as well. So I want to get that 
on there — just a personal plug. 

[Laughter.] 

And I am wearing my CPA cufflinks, too, by the way. Rob. 

Mr. Andrews. I have my American flag cufflinks. 

Mr. Conaway. Okay. 

[Laughter.] 

Todd, you have 5 minutes. 

Mr. Young. Well, I am not a CPA, so I didn’t understand all the 
CPA humor, but I appreciate everyone being here this morning. I 
was particularly interested, Ms. Porter, in your comments related 
to internal controls and the internal control environment within 



9 


DOD, but also outside the various stakeholders and service pro- 
viders that DOD has. I don’t know how many entities provide serv- 
ices to DOD, but quite a large number, I suspect. 

To your knowledge, are any of those audited with respect to their 
internal control processes and procedures right now — something 
that you recommended we start doing? 

Ms. Porter. Within DOD, there are two, I believe, current — they 
are called SAS-70 or SSAE-16 audits. They are the audits of the 
internal controls of the service providers. I believe DISA has one 
and DFAS [Defense Finance and Accounting Services] has an 
audit, but not as a service provider. There was one more. It might 
be DCA [Defense Commissary Agency]. 

Mr. Young. That is all right. 

Ms. Porter. DCIPS [Defense Civilian Intelligence Personnel Sys- 
tem] also has one. 

Mr. Young. If I understood in your testimony, you actually think 
that we should engage in more audits, broader audits, more regular 
audits of those entities. 

Ms. Porter. Of the service providers, yes. 

Mr. Young. That would seem to result in a great expansion of 
all the audit activity of DOD, which may well be justified. It may 
be necessary, to your mind. 

Are there some examples you can think of where had we con- 
ducted audits of these service providers, it would have mitigated 
some challenges that we are now experiencing? 

Ms. Porter. The service providers operate the systems that cut 
across all the military departments. So I will give you an example. 
In the Marine Corps, DFAS actually processes the transactions for 
the United States Marine Corps out of one of their locations. A lot 
of the information that and the challenges that occur during that 
audit, DFAS is taking those lessons learned and moving them 
across the rest of their organization. Had those audits of that serv- 
ice provider happened prior to the Marine Corps audit, there would 
have been a more consistent and advanced notice of those types of 
improvements that needed to be made before the Marine Corps 
audit got underway. 

The other part to think about is each time that a service pro- 
vider — so let us say that the Army goes under audit tomorrow. 
DFAS still has to be audited by the Army auditors as well because 
there is not this independent report that each of the auditors of the 
military services can look at and rely on. 

Mr. Young. I see. Okay. 

You also spoke, Ms. Porter, to some unique human-capital chal- 
lenges that our Armed Services face in light of the formal chain of 
command and then their duties, which are within the realm, in 
some cases, of financial management; so some people following the 
marching orders of those in the field, others listening to those at 
command. That seems like a pretty great challenge. Is that unique, 
however, to the military? 

I mean, within the private sector we have business units, and we 
have, you know, all sorts of different boxes and different people to 
look to. 

I guess I am trying to get a sense of why this is a unique chal- 
lenge to the military? Maybe you could speak to that. If I under- 



10 


stand the problem maybe we can come up with a better way to ad- 
dress it. 

Ms. Porter. I think the problem is unique to the military be- 
cause the functional leaders, both at the command level — don’t un- 
derstand how they actually play into the overall financial manage- 
ment role. They don’t understand how what they do in making 
their purchases and the acceptance of — like a receiving report at 
the field level really has an overall implication up to the financial 
statements themselves. 

And I think that — you know, the command level financial man- 
agers understand there is a standard set of policies and procedures. 
But what happens when they are down there is they get imple- 
mented in a way that works for them, which isn’t necessarily the 
standardization across all the Department. 

Mr. Young. It seems like that challenge could be one experienced 
by private sector entities, though, right? And if so, how is it typi- 
cally addressed there? 

Ms. Porter. I think the challenge could be addressed there, but 
it is mitigated because the auditors are in with all parts of the or- 
ganization and have been for years. So everybody understands 
their role and what they do to get to those audited numbers. And 
right now this is all foreign to DOD. 

Mr. Young. Okay. Thank you. 

Mr. Conaway. Mr. Andrews. 

Mr. Andrews. Thank you. 

I thank the witnesses. 

Mr. Keeley, you tell a story in your testimony about a payroll 
audit requiring 8,000 hours in 1 year and then 400 hours the next 
year because of technological improvements that were made. And 
that is in the context of your assessment of the ERP situation gen- 
erally. 

Given what you know about the progress or lack thereof of the 
ERP systems, how do you think we are doing? And what sugges- 
tions might you make for us to expedite the process and improve 
the quality? 

Mr. Keeley. Thank you for the question. Congressman. 

From my perspective, auditors are systems agnostic. So the FIAR 
guide itself speaks to the need for the components to improve, leg- 
acy systems or ERP solutions. 

So the aspects that an auditor looks for in any system is that the 
transactions are processed in accordance with GAAP, they capture 
and retain the transaction data so that it can be traced to the fi- 
nancial statements, and that transactions are maintained in a reli- 
able computer environment. 

The example I used in my written testimony regarding the 8,000 
hours that it took to test the 800 items really comes from the spec- 
trum of control that we need to achieve within the systems envi- 
ronment, both legacy systems and the ERP. 

And I have spoken to this point many times at the FIAR direc- 
torate and elsewhere throughout the components. Based on all my 
years as a systems auditor, the controls that are most required for 
an information system are logical security and programming. 



11 


If a component can prove to me that direct access to programs 
and data is well-secured, that component is well on its way to 
achieving at least some reliance on 

Mr. Andrews. Based upon your knowledge of the ERPs that are 
in various stages of development, how do we stack up against that 
criterion? 

Mr. Keeley. My experience looking at the criteria is that the 
ERPs are first focused on functionality. So it is perfectly normal 
when you develop an ERP system to make sure it works. That is 
what the Department of Defense has been primarily focused on. 

From my experience, the controls that I spoke to in terms of log- 
ical security and program are often implemented after the 
functionality is addressed. So from my perspective, the view of con- 
trols and the testing of logical security programming and oper- 
ations needs to happen much more quickly. It should be happening 
at the front end, in the middle and at the end. From what I have 
seen, that is not happening. 

Mr. Andrews. Now, Ms. Porter, you make reference to the 
SSAE-16 standards, which I think you say are lacking in a lot of 
the service provider areas. 

What kind of changes would the service providers have to adopt 
in order to comply with the SSAE-16 standards? 

Ms. Porter. The first step in the process would be to actually 
have those systems and their processes as a service provider be ex- 
amined under those standards. 

Right now there is very few, there is one that was recently 
awarded that is under way right now in the civilian pay process. 
But that would be the first step. 

Mr. Andrews. What do think that those examinations would 
likely yield? And what changes would those examinations likely 
provoke? 

Ms. Porter. They would yield where there are deficiencies in the 
controls around the information systems and the transaction proc- 
essing that those systems take place. 

And the hopeful result that would come out of that would be 
there would be changes made to those systems that would have an 
impact across all the military services and would get them one step 
closer to having that production of data at the transaction level 

Mr. Andrews. You think those changes could likely be achieved 
with existing resources or would they require new resources for 
those service providers? 

Ms. Porter. I think with the proper level of understanding and 
training, I think they could be accomplished with the service pro- 
viders that are in place today. 

I think they are definitely dedicated to making those things hap- 
pen. 

Mr. Andrews. We think so too. We are encouraged by it. 

Now, Ms. Boutelle, you sat on both sides of the equation here, 
in your service, within the Department of Defense as well as on the 
outside. And you claim, and I think you are right, that increasing 
the number of CPAs that we have is an essential priority. 

Do you think that we have a compensation structure within the 
Federal service that will facilitate that goal, or won’t it? 



12 


Ms. Boutelle. I think the compensation structure is fine. There 
is a lot of opportunities to incentivize people to come on board. 

So I think if they take advantage of what is available to them 
to actually target CPAs, perhaps sign-up bonuses, training opportu- 
nities and things like that, I think that they can attract strong 
CPAs into the workforces. 

Mr. Andrews. We have attracted seven of them here this morn- 
ing, so that is a very good sign. 

[Laughter.] 

I also just wanted to comment about the ERPs that — and I want 
to thank the chairman and Chairman McKeon and Ranking Mem- 
ber Smith in response to our last hearing about some concerns that 
GAO had raised about the ERPs. 

Chairman Conaway and the other members I mentioned, along 
with myself, signed a letter November 8th to the GAO asking that 
the GAO update its work on the ERPs by the 31st of December if 
they could. 

So what deadline are we using? 

Mr. Eoderaro. The 31st of March. 

Mr. Andrews. I am sorry, I am always an optimist. So that we 
would have available to us their work; so as we deliberate on the 
fiscal year 2013 bill we have that. So I wanted to thank the chair- 
man for his cooperation in that letter, and thank you for writing 
it. 

[Laughter.] 

Thank you very much. 

Mr. Conaway. Thanks, Rob. 

Steve. 

Mr. Palazzo. Well, good morning. 

And for Todd, I am not going to say any CPA jokes, because he 
just doesn’t get our humor. 

[Laughter.] 

And I guess we will just start with Ms. Boutelle and just go to 
the right. 

I am interested in knowing — I was going to talk about ERPs. 
And as a CPA myself I have been through the ERP process; not 
at the level of a DOD audit. So I was going to talk on that. 

But what I wanted to see is — ^you know, there have been some 
dates out there. We are supposed to achieve audit readiness by 
2017. Then all of a sudden Secretary Panetta came out and said, 
“We can do this by 2014.” Then all of a sudden there is some — you 
know, there was an article — for another $1 billion we could do it 
by 2017. 

So in you all’s opinion, what is a true, accurate date? You know, 
where do you think we are actually going to be able to achieve 
audit readiness? What are some of the most important factors in 
preparing us for audit achievability and any weaknesses and 
strengths along the way? 

And you can expand or summarize however you want. 

Ms. Boutelle. Good question. That is a question that has been 
asked for years, right? And I think that until the business leaders 
become more engaged in fixing the business processes and systems 
that the progress is not going to be made as aggressively as it 
needs to. 



13 


So to the point of what needs to he done, besides leadership in- 
volvement, I think there is something to be said for the ERPs, but 
to build the ERPs off of standard processes, standard data, they 
need to focus more on the business enterprise architecture in the 
Department, a wonderful tool that would allow them to build the 
processes so that there is one place of truth for how to do business 
with the Department — or within the Department — and would allow 
them then to test all of the ERPs that are being developed against 
that one standard truth. 

So I think that that would certainly help. But I do think that the 
biggest challenge is getting the owners of the processes. So, again, 
whether you are talking about a payroll transaction, you are talk- 
ing about receiving goods or services, you are talking about issuing 
inventory, transporting equipment material, all of those are busi- 
ness processes and those transactions are the type of transactions 
where the impediments are. 

And so to fix them, to meet audit criteria, is what should be the 
major focus going on in the Department. 

Mr. Palazzo. Just real quickly: 2017 or 2014 

Ms. Boutelle. So 

Mr. Palazzo [continuing]. Or somewhere in between? 

Ms. Boutelle. So I actually think 2014 is very aggressive. I just 
think that is very aggressive given all of the details that they need 
to work. 

But somewhere between 2014 and 2017, I think, should be do- 
able if they put the resources and the attention on it that is need- 
ed. 

Mr. Palazzo. Thank you. 

Ms. Porter. 

Ms. Porter. I would agree with Ms. Boutelle that you need that 
sustained leadership to continue and you need that leadership to 
get out to the field level so that they really do understand what 
their role is in the overall financial management process. 

The other thing I think that is going to be key to this is trans- 
action level detail, regardless of where that transaction level detail 
comes from — because you can’t do an audit without it. And the 
other thing that you need is the documentation that is going to 
support the transaction level detail. 

If you put all of those things together, you can achieve the 2014 
and the 2017 goal with the right amount of focus and the right 
sustainment across the Department. 

Mr. Keeley. Congressman, I have two points to make on this 
topic. 

From my perspective, the first one is methodology. In order to 
achieve the date, the methodology has to be ingrained throughout 
the Department. In the FIAR methodology, it is very straight- 
forward and basic. We need to identify and document financial 
processes, test internal controls, test documentation, find gaps and 
correct them. 

The most important aspect right now is testing. We have spent 
a lot of time documenting processes. And I have seen volumes of 
them. And people are documenting everything they do that is crit- 
ical to the mission, and that is very important. 



14 


We need to extract the financial aspects and get down to testing. 
That is my first point. 

The second point I would mention is the skill of the people to 
apply this approach. People are definitely hard-working; and there 
is a strong work ethic throughout DOD. But it comes down to judg- 
ment. When you look at workarounds in an ERP solution, how you 
are going to test that workaround. It comes down to pure judg- 
ment, and that only comes from experience. 

The word “judgment” appears in the Government Accountability 
Office financial audit manual and the yellow book of Government 
and audit standards 270 times out of 1,300 pages. 

So judgment is critical to being able to test and execute and 
achieve the 2014 date. 

Mr. Palazzo. I am out of time. I yield back. 

Mr. Conaway. All right. Thanks. 

Ms. Porter, you mentioned the — to flesh out, just for the record, 
the impact of having the service providers be audited by each of 
the — because the service providers don’t have their own audit that 
other accountants can rely upon, each of the various entities would 
in effect have to come in and audit that service provider itself. 

Can you walk us through why it would be less expensive audit- 
hour-wise and cost to the taxpayer if those service providers had 
documentation audits that they could give to the various branches 
and other components that the auditors there could rely on? 

Ms. Porter. What that means is that, if those independent-serv- 
ice-provider audits are available, the auditors of the statements 
themselves of the service organizations could rely on that work. 
There would only be — as long as that service provider audit covered 
the right period of time. 

So I will give you an example for the Marine Corps. If DFAS had 
had a service-provider audit that covered the last 9 months of the 
fiscal year, we would not have had to go in to the DFAS to look 
at their controls or look at the controls of the systems that they op- 
erate, such as the defense civilian pay system or the defense cash 
accountability system. 

Instead, we could have used the audit of that service provider 
and relied upon that report. That is assuming that that service pro- 
vider’s report was an unqualified opinion or that it identified where 
the weaknesses were, because then what that would allow us to do 
is then focus back into the Department what were the mitigating 
controls that they had in place to compensate for the weaknesses 
of the service provider. 

Mr. Conaway. Mr. Keeley, you mentioned the other day, in a 
conversation that we had — or today, in fact — that you are “systems- 
agnostic.” That was your phrase. 

Flesh that out. In the sense of you can audit, if the controls are 
there, no matter what the system, whether it is an FRP or a hand- 
posted set of books, if the controls are there, you can audit that. 

Would you, kind of, walk us through what you meant by that? 

Mr. Keeley. Yes. The controls need to be there. What we often 
find — and I will use an example of what I have seen in the field — 
is the earlier testimony you have received about ERPs talks about 
2,200 or so systems throughout the DOD. 



15 


Now, auditors are not afraid of size. So we can go in and look 
at the systems that need to he audited. But one aspect of the ERP 
solutions is to consolidate the data so that you don’t have duplica- 
tion of data. 

One area of systems that causes a great deal of problem in an 
audit, when you have data in duplicate systems, an auditor doesn’t 
know which to choose. And so, in working with business folks, if 
the business folks have data in a legacy system and an ERP sys- 
tem, it is difficult to first reconcile that information and then nail 
down a population. 

We spend a great deal of time identifying the absolute population 
upon which we can test. And if we can’t identify the population, we 
cannot move forward. 

So, less may be more in the case of the ERP consolidation; so I 
applaud the effort. But that is much more of a business decision. 
I do not want an audit to impede the DOD’s warfighting mission. 
If you need 2,000 systems to achieve the mission, I can audit it. 

So it is a matter of determining how much reliance I can place 
on that system. 

And the financial information systems audit manual has 424 
points to it. We all, as auditors, apply judgment to those points and 
we can address primarily half of them to get you to at least some 
reliance on internal controls and be much more efficient using 
judgment. 

Mr. Conaway. That reliance on internal controls, just for the 
record, drove the drop in audit hours from 8,000 audit hours to 400 
audit hours in that previous example. 

Mr. Keeley. That is a perfect example. If we go from no reliance 
on a system, because, for instance, if security is not locked down, 
to at least some reliance, the change in substantive testing is expo- 
nential. 

Mr. Conaway. All right. 

Ms. Boutelle, based on your experience, we talk about the work- 
force and the need for CPAs with a specific background in either 
financial statement audit or financial statement preparations. We 
have got a lot of folks, CPAs, in the system now. 

Is it all or none? Do you have to hire these folks from the outside 
totally, or can you cross-train or retrain or help get experience for 
the folks who are already on the team who know the way that 
these are going on, to help get them the skills necessary to be able 
to fill some of those slots that are lacking? 

Ms. Boutelle. So I think that they could work side by side with 
trained audit professionals. I think that the three firms here at the 
table have people on board helping in different places in DOD. I 
think, if they paired up some of their CPAs with the folks working 
audit readiness or even the audits, and they worked closely and 
they had a defined approach for how they would do that, I think 
that the experience gained by the current CPAs in the Govern- 
ment — that would enhance their capability to help the Department 
move forward. 

I do think that — you know, I am a CPA having spent most of my 
time in the Government. And I am not as proficient in audit as 
these two colleagues next to me. You know, I have lots of wonderful 



16 


audit practitioners back at Deloitte that I have learned a lot from 
in the 7 years that I have been there. 

So I do think that bringing in more seasoned audit practitioners 
to help guide the approach and then letting the folks within the 
Government learn from them would be a doable approach. 

Mr. Conaway. Thanks. 

We are going to have time for another round. Rob? 

Mr. Andrews. I really don’t have another round of questions at 
this time. 

Mr. Conaway. Okay. 

Todd, Scott, or Steve? 

Ms. Porter, the real-world example you were giving us about 
publicly held companies provide, or produce quarterly financial 
statements, and your firm is in their shop — well, some level of en- 
gagement with those quarterly reports. 

But that is not happening in the Federal — is there a similar 
process that could go on in the Department of Defense, in this ex- 
ample, that would shorten the timeframe needed to close out the 
books in November? I mean is there a way to look at what you do 
in the private sector with those quarterly reviews that you do and 
the impact it has on the year-end audits? Could that same model 
work in some altered form in a Federal agency? 

Ms. Porter. Well, first, let me say I am not advocating quarterly 
reports for the Federal Government. I really don’t want to be on 
the record of saying that because everyone will 

[Laughter.] 

Mr. Conaway. That was not 

[Laughter.] 

Ms. Porter. Yes. But what I think that does is it adds a dis- 
cipline and an exposure to the auditors that the DOD hasn’t experi- 
enced so far because they are in there having the conversations. 
They are having discussions around what are your management 
controls that you use? 

And this is where it is not the auditors that are driving what the 
civilian agencies or even the commercial entities are doing. Man- 
agement understands what they need to operate their business 
from a control perspective. And the auditors figure out how to use 
that information to get what they need to conduct the audit, to give 
management the feedback back as to whether they are using accu- 
rate financial information to make their decisions. 

It has been, from a DOD and a Government perspective, for 
years, but proprietary accounts weren’t looked at. They only fo- 
cused on the budgetary sides of the transactions. And that was 
often driven by what overseers were asking them to report back up 
on. 

So as they have tried to get themselves in tune to both sides of 
the transactions, the budgetary and the proprietary side, there has 
been a learning curve. And sometimes that learning curve has been 
impeded by not having the true understanding of what level of de- 
tail, what an auditor actually looks for, and they don’t have that 
in the commercial entities because they are so involved with each 
other all the time. 

Mr. Conaway. All right. Mr. Keeley, any comments in regard to 
that? 



17 


Mr. Keeley. No. Are you 

Mr. Conaway. Well, just that, you know, field work being done 
more regularly throughout the year — would that reduce the num- 
ber of total audit hours? 

One of the things we are obviously going to — at some point in 
time, get to a running rate in which the controls are in place; the 
systems are working and sustainability of the audits year in and 
year out is going to be the key. 

That first audit, you can’t maintain the level of intensity to get 
to that first audit year after year after year after year, I don’t 
think. 

Once you have got this thing running, what would be the role of 
the auditors during the normal process? 

Mr. Keeley. Well, yes. Congressman, my view is that continuous 
auditing has always been a bit of an enigma, even in the private 
sector. Yes, auditors are in the field, and we can do early sub- 
stantive testing. 

But from my experience in the private sector 7 years before I 
came down here, the private-sector companies have teams of spe- 
cialized accountants. They have tax departments with tax account- 
ants. They have statutory accountants focused on compliance re- 
porting. And then they have GAAP accountants. 

So they have entire teams in the field supplemented, of course, 
with internal audit. And they work at the companies. They are the 
companies’ employees. 

Our auditors, to the extent we can interact with them throughout 
the year and actually perform the testing I was talking about, defi- 
nitely expedites the audit. 

There are accounting standards and rules that allow us to per- 
form early testing and still rely on it for the year end. 

So it is definitely difficult to do, but it is done throughout the 
community. 

Mr. Conaway. Ms. Boutelle — I have got one more question for 
Ms. Porter — but, first, Ms. Boutelle, given your experience in both 
sides of the shop, is there a way to create a chain-of-command re- 
sponsibility at Department of Defense, other than have whoever 
the current Secretary of Defense is saying, day after day after day, 
get this done — in other words, can there. You know. Bob Hale has, 
or the Assistant Secretary of State — Comptroller really doesn’t 
have command reach into all these other places. 

So, given that org chart that is in place — and we are going to 
make a lot of changes to it — is there a way that we can get to a 
point or a system that holds all the folks at the various levels ac- 
countable for making sure this gets done, so that — any thoughts on 
that? 

Ms. Boutelle. I think, with the Secretary’s involvement and 
whoever the Secretary is, going forward, has to be involved. I think 
that that will send a very strong message. 

Now, I understand that the reality is that the Secretary is not 
going to meet with the business owners on a monthly basis, most 
likely, but some periodic forum would be beneficial. 

The Chief Management Officer and the Deputy Chief Manage- 
ment Officer, I think, having responsibility for the business proc- 
esses, the systems, would also be a very strong marriage between 



18 


those two roles, the CMO and the DCMO, with Bob Hale in driving 
this, that maybe between the two of them — I know Beth McGrath 
has got tremendous knowledge of the systems and the processes. 

I think coming together with Bob Hale they make a pretty formi- 
dable team. They have got to have the power, though, to direct 
changes within the business areas. And without that, they cannot 
be as successful as they need to be. 

Mr. Conaway. Ms. Porter, I can’t let you off the hook. What can 
you share with us, if anything, about the Marine Corps audit 
that — and you may not be able to talk to us about this year’s Ma- 
rine Corps audit, but can you share with us a perspective on the 
difference between where the Marine Corps was this time last year 
and where the Marine Corps is today, without telegraphing too 
much what is going to happen shortly? I couldn’t let you off the 
hook. 

Ms. Porter. Sure. 

So last year’s audit, in fiscal year 2010, we had a big struggle 
at the beginning of the audit. We didn’t get very far into the test- 
ing beyond beginning balances. We basically tested no current year 
transactions. 

For the fiscal year 2011 audit — well, let me go back to fiscal year 
2010. There were also quite a few findings and recommendations 
that came out of the audit that the Marine Corps started imme- 
diately to undertake remediation actions to while the audit was 
still under way. 

In fiscal year 2011, you could see that there was an improvement 
in the process, they better understood what we were looking for, 
they were better able to produce reconciliations and tie-outs of data 
that we had a big struggle with in the previous year. It is not per- 
fect because they still had some struggles this year. We thought it 
might be a little bit better. But they are moving in the right direc- 
tion. 

We have also got to a lot more current year testing this year 
than we did in the past. So you definitely see that they are becom- 
ing more accustomed to understanding what we are looking for. We 
are also becoming more accustomed to how they do business and 
what documentation they have. 

And so I see progress every year. And I also see them taking 
those lessons learned to the other Services. 

Mr. Conaway. All right. Typically, you know, in a commercial 
entity you give a set of financial statements. You also give them 
a statement of weakness of internal controls — did you see adequate 
remediation for the stuff that you discovered in the 2010 audit. Ma- 
rine Corps make — without specific details — ^but make adequate 
process at addressing those weaknesses and moving as far as you 
thought they could move in the time they had to move it? 

Ms. Porter. We issued two different sets of findings and rec- 
ommendations to the Marine Corps last year, one associated with 
information technology and one associated with the financial state- 
ment controls themselves. 

So the information technology piece, we did see quite a bit of 
changes and were able to test those actions that they took last 
year. And before we had to cut off testing I would say there was 
probably another 20 to 30 percent of them that are ready to be 



19 


tested right now, that the action actually took place after we 
stopped testing. 

For the financial statement findings, it is a little more difficult 
to address because we haven’t yet been able to conduct the test of 
the current year transactions, which — associated with those find- 
ings — which would actually in fact tell us whether the remediation 
actions worked. 

Mr. Conaway. All right. Okay. 

Rob, other questions? 

Mr. Andrews. Well, just as a concluding comment, think Ms. 
Porter’s limited sneak preview of the Marine Corps audit, which 
shows reason for optimism. And the chairman’s question about sus- 
taining the progress we have made beyond this Secretary of De- 
fense I think is the core challenge facing this panel. 

I think Secretary Panetta deserves enormous praise for giving 
this effort such a high priority. But there will be another Secretary 
of Defense soon. There always is. 

Mr. Conaway. Maybe even another president. 

Mr. Andrews. Maybe. That is right. And whether there is an- 
other president or this one, there is — you know, secretaries do 
change. 

And I do think that our key mission is to try to build into the 
culture of the institution and the structure of the institution a high 
priority on this audit readiness, because if we have to rely upon the 
leadership priorities of the person who is going to be secretary, I 
just don’t think we are ever going to achieve what we need to do, 
because, you know, priorities come and go. 

So the chairman and I have talked about this before. Think all 
members of the Panel and members of the public should be think- 
ing about advice they could give us on institutionalizing the 
progress that we have seen right now. 

I think very much of that is attributable to the chairman’s focus, 
laser-like focus on this issue for several years, and on Secretary Pa- 
netta’s admirable response to that. But we want to make this a 
principle that extends beyond individuals to a more embedded cul- 
ture in the organization. However we can do that, I think we will 
have made great progress. 

And I do appreciate the contribution of the three witnesses here 
this morning. Thank you. 

Mr. Conaway. Well, I want to echo Rob’s praise of Secretary Pa- 
netta, unprecedented forward leap and commitment to this issue. 
And I am really tickled to death he has made that. 

Just quickly, just kind of maybe a yes or no, have we got enough 
forward momentum toward this goal that this is actually going to 
happen? In other words, can we — we get beyond that tipping point 
where, yes, it is going to behard, and, yes, it may take a while, but 
have we got past that point where we really are going to make this 
happen, in your all’s perspective? 

Mark. 

Mr. Keeley. Yes, sir, I believe so. One of the topics I talked 
about in my testimony was the lessons learned. So we have a great 
deal of lessons learned from the Marine Corps, from the Army 
Corps, from DISA and others. And we are always looking back at 
those lessons and applying them going forward. 



20 


So applying the lessons and speeding the training and momen- 
tum is certainly achievable. 

Mr. Conaway. Okay. 

Tracy, your perspective? 

Ms. Porter. I do think the goals are there. I think the 
sustainment across the Department at the lower levels so that it 
doesn’t go away when the Secretary changes is critical to make this 
leap forward that they are trying to get to. 

So with that right amount of focus and with those lessons con- 
tinuing to being learned and nobody backing off from that progress 
and just keeping that pressure on, because you take the pressure 
of the audit readiness or the pressure of the audit off, the way 
things work right now aren’t yet well ingrained in everybody with- 
in the Services. So they will immediately fall back to their old way 
of doing business. 

So you have to just keep this pressure and this momentum in 
order to keep us going in the direction that they need to go. 

Mr. Conaway. JoAnn, your comments? 

Ms. Boutelle. I agree with Ms. Porter. I think that you have 
to keep the pressure on. I think that the momentum is there, it is 
moving, you have brought tremendous attention to this topic. But 
there is a ways for them to go for the business owners to truly em- 
brace and understand their responsibility. 

So, again, I think that they can make it if you keep the pressure 
on them. 

Mr. Conaway. All right. 

Well, thank you three. I appreciate the witnesses today. And we 
did not telegraph that question. We try to make sure this panel 
keeps existing. No. 

[Laughter.] 

One of our big issues is how do we put in place the right kind 
of attention at the committee so that when Rob and I are doing 
something else or going somewhere else, that pressure and that 
commitment from our side on the oversight piece remains in place 
in the appropriate manner to make sure we do our part of that. 

Again, thank the witnesses for being here this morning. 

We are adjourned. 

[Whereupon, at 8:56 a.m., the panel was adjourned.] 



APPENDIX 

November 17, 2011 




PREPARED STATEMENTS SUBMITTED FOR THE RECORD 


November 17, 2011 




Statement of Hon. K. Michael Conaway 

Chairman, Panel on Defense Financial Management and 
Auditahility Reform 

Hearing on 

Industry Perspectives on Achieving Audit Readiness 
November 17, 2011 

I’d like to welcome everyone to today’s hearing on Industry Per- 
spectives on Achieving Audit Readiness. Over the past 4 months, 
we have heard from a variety of witnesses within Government, in- 
cluding representatives from the offices of the OSD and Military 
Department Comptrollers, the DOD functional communities, the 
DOD Office of Inspector General (OIG), and the GAO on the chal- 
lenges the Department faces in achieving audit readiness and its 
efforts to resolve these issues. Today, as the Panel nears the com- 
pletion of its work, we turn to accounting firms that have experi- 
ence out in the private sector, as well as within Government, to get 
their views on the impediments to DOD achieving auditahility and 
the actions needed to address these challenges. 

In addition to having experience performing work at various 
other entities, these firms are involved in almost every aspect of 
DOD’s financial improvement and audit readiness (FIAR) effort, 
ranging from assisting DOD components in implementing the FIAR 
strategy, to assisting the Office of the Under Secretary of Defense 
(Comptroller) in performing its review of the DOD components’ 
progress, to actually performing certain audits themselves. There- 
fore, they can provide a well informed point of view on the prob- 
lems facing DOD as it works towards achieving auditahility on the 
Statement of Budgetary Resources by 2014 and the full set of fi- 
nancial statements by 2017. 

Some of the challenges that have been identified to date include 
sustaining leadership and effective oversight, ensuring workforce 
competency, implementing Enterprise Resource Planning (ERP) 
systems, resolving long-standing internal control weaknesses, and 
managing organizational challenges associated with having a large 
and complex organization such as DOD. The witnesses here today 
may or may not consider all of these issues as impediments to im- 
proving financial management and achieving audit readiness, or 
they may have a slightly different take on the issues, or they may 
identify different challenges all together. Most significantly, they 
may be able to provide alternative options on how to overcome 
these weaknesses. That is why I look forward to hearing their ex- 
pert views on the issues confronting DOD and possible courses of 
action to address these challenges. 

( 25 ) 



26 


I would like to thank our witnesses in advance for their testi- 
mony and agreeing to he with us this morning. We have with us 
today: 

• Ms. JoAnn Boutelle, Partner, Deloitte & Touche LLP; 

• Ms. Tracy Porter, Partner, Grant Thornton LLP; and 

• Mr. Mark Keeley, Partner, PricewaterhouseCoopers LLP. 



27 


Written Testimony of JoAnn Boutelle 
Partner, Deloitte & Touehe LLP 

November 17, 2011 

Chairman Conaway, Congressman Andrews, and Members of the Panel, thank you for 
the opportunity to testify today concerning industry’s perspective on achieving audit 
readiness at the Department of Defense (DOD). 

I have had the unique experience over the last 26 years serving in both government and 
now industry to help organizations navigate their way through the most complex auditing 
and financial management challenges. For the past seven years, I have been at Deloitte 
working side by side with audit and consulting professionals, expanding my knowledge 
of best practices in the audit and financial management areas. 

Deloitte LLP and its subsidiaries have more than 50,000 employees working from 89 
IJ.S. cities, providing audit, tax, financial advisory and consulting services to commercial 
and government clients. Deloitte’s Federal Practice, consisting of over 6,500 
professionals, has been providing audit readiness support to the Army, Air Force, Navy 
and other parts of DoD. 

Prior to joining Deloitte, I worked as the Deputy Chief Financial Officer (DCFO) at DoD 
for over two years, and prior to that at the Defense Finance & Accounting Service 
(DFAS). While serving as the Deputy Chief Financial Officer, 1 constantly challenged 
the lack of accountability and the need to improve financial statements, business 
processes, and systems. 1 worked to implement actions which started the Department on 
the path towards not only achieving audit readiness but also improving the quality and 
timeliness of data for the decision makers. Let me share a few examples: 

• First, I initiated a requirement for the Components’ Financial Managers to brief 
their financial statements to the DoD CFO twice a year. It turned out to be harder 
than I thought for the Financial Managers to explain the causes of the changes in 
the financial information. The Financial Managers and their staff lacked the 



28 


understanding of how business events impacted the financial statements. My 
team at DoD worked collaboratively with the Departments’ Financial Managers to 
educate and train their staff to understand the complexities of the financial 
statements. Today the Components’ Financial Managers are more knowledgeable 
of the business impacts on the financial statements and are involved in discussions 
on how to get their organizations ready for a financial statement audit. 

• Another example goes to the heart of the challenge DoD leadership is facing 
around stove-piped systems with unique business processes. There is a lack of 
standard processes, standard data and effective controls in so many systems. This 
makes it difficult to compile meaningful data at the DoD enterprise level for 
Department-wide analy.sis. It also makes it difficult to determine if the processes 
and systems are operating in compliance with laws and regulations. To get one 
authoritative source of the business rules that should be used by the Department, 1 
put in place the business enterprise architecture (BEA). Business rules are 
critical and should include needed controls, validation edits to ensure integrity of 
the data, hand-offs between business partners, details of process flow, and data 
standards. An organization as large and as complex as the DoD needs a BEA so 
that there is one place to go to, one master architecture, when developing a system 
of how to do business in and with DoD. 

• Last, the Components needed a plan of the deficiencies that would prevent them 
from obtaining an unqualified audit opinion and associated corrective actions. 
These were pretty basic plans at the time and did not have all the actions required 
to identify all the deficiencies. The Components continue to improve on their 
plans as they gain more knowledge about what is required to complete a financial 
statement audit. 

These were strategic, effective initiatives stEuted when I was at DoD and DoD leaders 
have continued to improve on them. However, there are two additional areas critical for 
DoD to achieve an unqualified audit opinion; 1) An increased and sustained commitment 
from DoD leadership, and 2) a workforce with the applicable financial and technical 
competencies. 



29 


Leadership 

A commitment from DoD leadership starting at the Secretary level is critical to achieve 
audit readiness by 2017, This belief comes from Deloitte's direct experience working 
with both commercial and government clients. Over the past decade, Deloitte has helped 
government agencies successfully transition from an unauditable to an auditable state. In 
the commercial audit space, we worked closely with companies as they strived to 
transform their organizations to comply with the Sarbanes Oxley Act of 2002, or 
reconstract their financial statements following bankruptcy or fraud. In each of these 
experiences, the common thread that helped them succeed was dedicated leadership and a 
commitment from the top to meet tangible milestones. 

While commercial organizations from the CEO and COO levels drive initiatives to fix 
processes and tighten controls, DoD lacked the commitment to devote the level of time 
and resources necessary to achieve audit readiness. Secretary Panetta’s recent 
announcement that he is now personally involved in driving the Department to achieve 
audit readiness is a major signal that this is a top priority for the Department. 

For the past 9 years, the Chief Financial Officer, his staff, and the financial management 
community across the DoD demonstrated leadership in coming together to tackle the 
tough aspects of fixing their business processes and systems. I commend them for their 
daily commitment to this effort. However, 1 believe the responsibility for the controls 
over assets and compliant reporting of accounting events is the primary responsibility of 
the business process owners. Business owners within the Department must come 
together with the financial management community to jointly correct deficiencies that are 
preventing DoD from becoming audit ready. The Department requires a 100% 
commitment from all facets of the organization, not just the financial managers. Cross 
functional ownership at the senior levels cannot be forced by the CFO who is a peer to 
many of the business leaders. This is a job for the Secretary and the Deputy Secretary 
and an area for tangible and measurable improvement. 



30 


Let me provide an example within DoD where a director of an agency became personally 
involved in achieving auditability, with results and remediation, leading to significant 
cost savings. The Defense Information Systems Agency (DISA) started on a journey to 
obtain an audit opinion on its financial statements in the 2005 timeframe. The DISA 
director and other DISA leadership were personally involved and actively drove the 
remediation efforts, resulting in significant cost savings. Deloitte assisted them and it 
took about three years to identify their audit weaknesses and for DISA leadership to 
impiement corrective actions. In our opinion, the direct and ongoing involvement of 
DISA senior leaders was a major factor in their success. DISA has just successfully 
completed a FY201 1 Working Capital Fund financial statement audit. In addition to 
getting their financial house in order, DISA also identified close to $400M of funds they 
were unaware were available. This was a major success for the organization - a 
commitment and investment by the DISA Director and the DISA leadership team to 
remediate their financials, leading to more efficient and responsible organizational spend. 

Deloitte saw similar challenges in recent years on the commercial side of our business 
where CEOs and COOs had to aggressively lead the implementation of the Sarbanes 
Oxley Act. Many of our commercial clients were struggling to meet the compliance and 
reporting demands placed on them by the Act. For many of our clients, achieving 
compliance with the Act’s requirements involved significant transformation of their 
culture, business practices and systems, and internal controls. These organizations 
quickly learned that success required the full engagement of chief executives not only in 
Finance, but also in Operations, Information Systems, Human Resources, and in the 
business units which were in many cases highly decentralized and global. This pattern of 
leadership engagement is critical to the Department’s ability to meet its aggressive audit 
readiness timelines. 

I believe this Panel can help by reinforcing the need for full engagement, commitment 
and accountability from Defense leaders across the organization to the Departnieiif s 
audit readiness goals. This means that Departmental Chief Management Officers 



31 


(CMOs), Chief Information Officers (CIOs), acquisition leaders, supply and logistics 
leaders, human capital officers and others must better understand their role in the audit 
readiness process, and take ownership and accountability for the results. Without this 
leadership commitment, I do not believe the Department will meet its 201 7 goal. 

Workforce 

Now, let me address the second critical area for success ~ the need to improve the 
competencies of the DoD workforce involved in processing the business transactions at 
the DoD. The financial management staff of the DoD are some of the most dedicated 
people I have had the honor of working with during my entire work career; but there are 
many other DoD employees who are equally dedicated in the business units processing 
transactions. They know their systems and processes and through their efforts, critical 
supplies and support are provided to the military. However, they also need to ensure the 
integrity and soundness of the financial data they are creating. This will most effectively 
be accomplished through established internal controls, compliance with policy and 
procedures, and more integrated processes. 

There is a need to enhance financial controls within the business processes and systems to 
improve on the accuracy and completeness of data recorded timely into the financial 
systems. Removing the human element and adding more automation is the most 
effective and consistent way to add these needed financial controls. There are thousands 
of people across DoD touching transactions that create financial events. These people do 
not have to be trained accountants. They need to be trained supply technicians, personnel 
clerks, or contracting officers - or the various functional technical competencies of their 
job. They also need to understand their role in financial management. 

So what are the skills needed by DoD personnel? 

• People who are involved in the financial statement preparation should be CPAs 
with financial statement audit experience. Increasing the number of CPAs in 
DoD can be achieved by hiring people who already possess their CPA designation 



32 


and incentivizing current employees, who meet the criteria, to take the CPA 
exam. 

• People who process transactions should be trained in accounting controls and 
processes related to their jobs. The Certified Defense Financial Manager 
certification provides a foundation of government accounting and controls. 

• Leading an audit or audit readiness program requires people with experience in 
leading financial statement audits. The DoD lacks people with this expertise and 
where there are gaps, government should rely on industry to support. Getting to 
the first audit opinion is the most difficult step, and the need for seasoned audit 
professionals are needed to help DoD focus their resources most effectively. 

Conclusion 

Government and its industry partners share the same goal. We want to see the 
Department of Defense achieve an unqualified audit opinion and for them to meet their 
deadlines. But sometimes, there are elements that impede their ability to get the job 
done. 

How do we overcome them? We do so by focusing on leadership, the financial 
management competencies needed across the workforce, and a culture of commitment to 
making the changes necessary to achieve auditability. 

The DoD and industry must work together to meet these goals. 

I want to thank the Panel for holding a series of hearings on Defense financial 
management and auditability reform, and for your laser focused attention on this very 
important issue. Thank you and 1 look forward to your questions. 



Deloitte. 


33 



JoAnn R. Boutelle 

Deloitte Services LP 

(571)882-5230 

jboutene@deloitte.com 


Ms, Boutelle is the Federal Practice’s Partner on the National Chief Financial Officer Program. 
Until recently, Ms, Boutelle was Deloitte's Lead Client Service Partner for Department of 
Defense (DoD) Agencies, Joint Commands, and Offices of the Secretary of Defense. 

Prior to joining Deloitte, she had a DoD career where she was recognized as a committed leader 
to reforming business processes and incorporating the accounting, finance and internal control 
requirements for strong DoD end-to-end business processes. Ms. Boutelle is extremely 
knowledgeable in the DoD environment and related DoD policies and procedures. She led the 
DoD Business Management Modenrization Program which is by far the largest single 
transformation project in the world. She has led major business process transfonnation 
initiatives for the DoD. While at the Defense Finance and Accounting Service ( DFAS) and as 
Deputy Chief Financial Officer (CFO) for DoD she supported major efforts to implement 
standard bastness rules and technology. During her role as Deputy CFO, she was directly 
re.sponsible for bringing together Goveniment Accountability Office (GAO), Office of 
Management and Budget (OMB), and DoD Inspector General (IG DoD) to work on a joint effort 
for improved financial management practices for the DoD. 

Ms. Boutelle is a Certified Public Accountant and earned her bachelor's degree in accounting 
from Indiana University in 1982. She received her ma.sfer's degree in the management of 
infoiTiiation technology from George Washington University in 1998, Ms. Boutelle is a graduate 
of the DoD Senior Executive Leadership Program. 



34 


DISCLOSURE FORM FOR WITNESSES 
CONCERNING FEDERAL CONTRACT AND GRANT INFORMATION 

INSTRUCTION TO WITNESSES: Rule 11, clause 2(g)(5), of the Rules of the U.S. 
House of Representatives for the 112* Congress requires nongovernmental witnesses 
appearing before House committees to include in their written statements a curriculum 
vitae and a disclosure of the amount and source of any federal contracts or grants 
(including subcontracts and subgrants) received during the current and two previous 
fiscal years either by the witness or by an entity represented by the witness. This form is 
intended to assist witnesses appearing before the House Armed Services Committee in 
complying with the House rule. 

Witness name: JoAnn Boutelle 

Capacity in which appearing: (check one) 

Individual 

_x Representative 

If appearing in a representative capacity, name of the company, association or other 
entity being represented: Deloitte & Touche LLP 

JoAnn Boutelle is a Partner of Deloitte & Touche LLP, which is a subsidiary of Deloitte 
LLP. The subsidiaries of Deloitte LLP (which include Deloitte Consulting LLP, Deloitte 
& Touche LLP, Deloitte Financial Advisory LLP and Deloitte Tax LLP), through each of 
their federal practices (the "Federal Practices"), collectively perfonn in excess of $1 
billion annually with the federal government. 

The Federal Practices currently support approximately $300 million annually in prime 
contracts with the Department of Defense (DOD). Of these, over $ 1 0 million is related to 
audit readiness services at DOD. Moreover, Deloitte LLP's subsidiaries may plan to 
pursue future contracts and subcontracts that support or relate to supporting DOD in their 
efforts to achieve an unqualified audit opinion. 

FISCAL YEAR 2011 


federal grant{s) / 
contracts 

federal agency 

dollar value 

subject(s) of contract or 
grant 

N00178-04-D-4020 

Navy HQ 

$4,479,082.30 

Financial improvement Program 
Management 

HQ0423-10-F-5002 

OSD Comptroiter 
(FtAR) 

$3,069,440.10 

FIAR office support 

N00033-12-C-8017 

Military Sealift 

Command 

$2,054,426 

N-8 audit readiness support 

N00178-04-DA077 

Office of Navai 

Research 

$1,068,313,15 

Financial Improvement and Audit 
Readiness support 


FISCAL YEAR 2010 



35 


federal grant(s) / 
contracts 

federal agency 

dollar value 

subject(s) of contract or 
grant 

N00140-05-D-0019 

Office of Nava! 

Research 

$2,019,715.44 

Financial Improvement and Audit 
Readiness support 


FISCAL YEAR 2009 


Federal grant(s) / 
contracts 

federal agency 

dollar value 

subject(s) of contract or 
grant 

N00140^05-D-0019 

Office of Naval 

Research 

$1,999,835.65 

Financial Improvement and Audit 
Readiness support 


























Federal Contract Information: If you or the entity you represent before the Committee 
on Armed Services has contracts (including subcontracts) with the federal government, 
please provide the following information: 

Number of contracts (including subcontracts) with the federal government: 

Current fiscal year (201 1): ; 

Fiscal year 2010: ; 

Fiscal year 2009: . 

Federal agencies with which federal contracts are held: 

Current fiscal year (2011 ): ; 

Fiscal year 2010: ; 

Fiscal year 2009: . 

List of subjects of federal contract(s) (for example, ship construction, aircraft parts 
manufacturing, software design, force structure consultant, architecture & engineering 
services, etc,): 

CuiTent fiscal year (2011 ): ; 

Fiscal year 2010: ; 

Fiscal year 2009: . 

Aggregate dollar value of federal contracts held: 

Current fiscal year (201 1 ): ; 

2 





36 


Fiscal year 2010: 
Fiscal year 2009: 


Federal Grant Information: If you or the entity you represent before the Committee on 
Armed Services has grants (including subgrants) with the federal government, please 
provide the following information: 

Number of grants (including subgrants) with the federal government: 

Current fiscal year (201 1): ; 

Fiscal year 2010: ; 

Fiscal year 2009: . 

Federal agencies with which federal grants are held: 

Cun-ent fiscal year (201 1): ; 

Fiscal year 2010: H II ; 

Fiscal year 2009: . 

List of subjects of federal grants(s) (for example, materials research, sociological study, 
software design, etc.): 

Current fiscal year (201 1 ): 

Fiscal year 2010: ; 

Fiscal year 2009:_ . 

Aggregate dollar value of federal grants held; 

Current fiscal year (2011); ; 

Fiscal year 2010; ; 

Fiscal year 2009: . 


3 



37 


Grant Thornton 


Statement of Tracy E. Porter, 
Partner, Grant Thornton LLP 

Before the House Armed Services Committee Panel on Defense Financial 
Management and Auditability Reform 

November 17, 2011 


Not for publication until 
Released by the 

House Armed Services Committee 



38 


Qaairaian Conaway, Ranking Member Andrews and distinguished members of the 
Panel, good morning and thank 5 ^u for inviting me to testify today on behalf of Gi^t 
Thornton LLP. I applaud this panel’s commitment to bringing financial management 
excellence to the Department of Defense and am pleased to be able to share with you 
my perspective of the impediments to DOD achieving audit readiness and actions 
DOD needs to take to become audit ready. Now, I know for some audit readiness at 
DOD may seem like a stru^Ie that will not soon be won, but in fact there have been 
many financial management improvements in the Defense commumty in the 24 years 
I have been involved with it. In the recent past I have seen significant changes, 
including a much stronger focus on improving financial management, and not simply 
because of the audit. Instead, there is a strong and sincere desire at DOD to give 
Defense managers and warfighters better financial information with which to make 
important decisions and manage daily affairs. I am impressed by the attention that 
DOD is giving to internal controls and the Defense community’s understanding of 
their importance to the mission, not Just the audit. 

Today I will discuss my perspective on the Department’s audit readiness challenges, 
which has been formed as a result of conducting audits and audit readiness 
engagements for the federal government, as well as for private sector cKents and state 
and local governments. As yDu may know. Grant 'Lhomton LLP was recently retained 
to perform an audit of the United States Marine Corps’ annual financial statements, 
llie results of that audit are not the subject of my testimony today. Rather, I hope to 
share with the panel members observations I’ve made in my many years as a public 
sector audit professional. 

The Chief Financial Officers Act of 1990 first established the requirement that 
agencies produce audited financial statements. Since that time, most federal agencies 
have made steady progress producing financial statements, subjecting them to audit, 
and receiving unqualified opinions from auditoi's. The Department of Defense is an 
outlier. GAO recently testified, “Over the years, DOD has initiated several broad- 
based reform efforts to address its long-standing financial management weaknesses. 
However, as we have reported, those efforts did not achieve their intended purpose of 
improving the department’s financial manj^ement operations.”^ 

Before discussing the challenges and impediments, I would like to acknowledge the 
efforts of the Department’s senior leadership to reform financial management within 
the Department. Transforming an entity as large and decentralized as the Department 
is no easy task, especially w'hen the entity is entrenched in hundreds of year's of 
business that focused on budgetary accounting and not proprietary accounting. The 
senior leadership of the Department has demonstrated a commitment to improving 
financial management and taken actions necessary to address the known impediments 
to improve financial operations. 

DOD faces unrealistic expectations 

Improving financial management is the ultimate goal of requiring audited financial 
statements. But the ix>ad to an tmquaiified opinion (often referred to as a clean 

‘ Government Accountability Office, DOD Financial Management: Improved Controls, Processes, and Systems Are Needed 

for Accurate and Reliable Financial Information; Report Number GAO-1 1-933T (Washington, DC, September 23, 2011). 



39 


opinion) is often rocky. Too often, oi^anizations and their stakeholders have 
unrealistic expeaations about the results of early audits. Some of these expectations 
may derive from the term “audit readiness.” 

When laymen hear the term audit readiness they may assume it means an organization 
has sufficiently strong financial man^ement in place that it is likely to obtain an 
unqualified opinion on its financial statements. It often means, however, that an 
organization simply has enough evidence ready to subject to the scrutiny of auditois, 
even though the result may be a qualified opinion or even a disclaimer. And though 
receiving a qualified opinion or disclaimer may be painful, it is the first step most 
federal agencies have had to take before substantially improving their financial 
management operations. 

For example, fewer than half of the major federal departments and agencies received 
unqualified opinions on their FY 1998 financial statements. Just three missed this 
milestone with their FY 2010 financial statements. So for most agencies, their first 
opinions weren't unqualified - many received disclaimer opinions for several years. 

Yet a disekumer can be the clearest roadmap for an organization seeking an 
unqualified opinion. It gives leadership the clear direction they need on where to focus 
audit remediation efforts. 

So, auditing an entity for the first time is the first step in an organization’s audit 
maturity process. With a first audit, management Is making transparent to the auditors 
the organization’s financial statements, internal controls, and the information used to 
manage the financial and performance aspects of the enterprise. Auditors simply test 
the information to ensure it is (1) fairly and accurately presented (i.e., free of material 
errors), (2) presented in accordance with standards and management policies, and (3) 
in compliance with accounting standards. It is import. mt to remember what an audit 
opinion is and what it is not. An unqualified opinion means the finatKial information, 
as presented in the statements, ate not materiaUy misstated. Even with an unqualified 
opinion, more often than not, federal departments and agencies still suffer from lack 
of compliance with laws and regulations or weaknesses in internal controls. 

IX)D is among the most complex organizations in the world. I cannot improve upon 
the way GAO put it: 

DOD is one of the largest and most complex organizations In the world. For 
fiscal year 2012, the budget requested for the department was approximately 
$671 billion — $553 billion in discretionary budget authority and $118 billion 
to support overseas contingency operations. The fiscal year 2012 budget 
request also noted that DOD employed over 3 million milkary and civilian 
personnel — including aaive and reserve service members. DOD operations 
span a wide range of defense organizations, including the military departments 
and their respective major commands and functional activities, large defense 
agencies and field activities, and various combatant and joint operational 
commands that are responsible for military operations for specific geographic 
regions or theaters of operation. To execute its operations, the department 
performs interrelated and interdependent business functbns, including 
financial management, logistics management, health care management, and 



40 


procurement. To support ks business functions, DOD has reported that it 
relies on over 2,200 business systems, including accounting, acquisition, 
logistics, and personnel systems.^ 

Like almost every action it takes, DOD's audit will be the single largest audit 
undertaken . . . ever. The complexity is compounded by the fact that DOD’s 
operations span our nation’s history, whOe the focus on audit readiness is relatively 
recent. Most lai^e companies undergoing an audit for the first time are “audit ready” 
from day one. The drive for profit ingrains in private sector personnel the essential 
nature of financial managers to (^cision making. Companies recognize that without 
the financial managers’ input into key business decisions, they don’t have an adequate 
imderstanding of the availability of resources to cany out operations, lliat “natiue” 
has not been part of the federal government’s way to doing business. In the past, 
execution of mission, despite costs and resources needed, was paramount and the 
practice was that the needed funding just appeared. Tliere was no constmint. Wliiie 
that is changing today within the Department and the federal govemment as a whole, 
past practices are slow to change because of the size and nature of the entities 
involved Financial statements still reflect tmnsactions based on the business processes 
of the past. So expecting a clean audit the first time auditors go into an oi^anization Is 
unrealistic, particularly in the case of an organization the size, complexity and history 
of the Department of Defense. 

Just as we should manage our expectations of DOD’s audit readiness, we should also 
ensure we are imposing realistic deadlines. In a publicly traded company, auditors are 
in an oi^anizaiion every quarter, but still have 90 days to audit financial statements. 
Though the CFO Act originally set the deadline for audited financial statements at 
March 3 1st, today OMB has accelerated that date to no later than 45 calendar days 
after the end of the fiscal year. In my view, it is simply impractical to subject an 
organization as complex as DOD to this unreasonable deadline when its fii'st 
subjected to audit scrutiny, especially when publicly traded counterpaits of much 
smaller size and less complexity have twice as long to accomplish the same titsk. 

Clear lines of responsibilities among DOD agencies and service 
providers are lacking 

DOD agencies rely on a complex web of service providers (e.g., DFAS and DISA) to 
support them in the performance of their mission. As such, DOD agencies rely on 
these service providers to perfoim financial management functions (e.g., internal 
controls, transaction processing, and system maintenance). In carrying out these 
functions, DOD agencies often assume proper internal controls exist within the 
service providers, while service providers rightly assume that such policies and 
procedures are the responsibility of agency management. It may surprise panel 
members to know that DOD service provider policies, procedures, and controls aren’t 
subjected to the same scrutiny as service providers in other agencies. SSAE No. 16 -- 
Statement on Standards for Attestation Engagements No. 16, Reporting on G>ntrois 
at a Service Organization - is the standard set by the American Institute of Ceitified 
Public Accountants for judging the adequacy of controls in place in service 


2 Id, 



41 


organizations. It is required at civilian public sector service providers like the Bureau 
of Public Debt and the Department of the Interiors data center. DOD agencies need 
confidence that service providers have proper internal controls. Tliis confidence can 
only be gained through what are called SSAE 16 audits. DOD agencies and service 
providers also need a service provider agreement that documents what the service 
provider is to do for the agencies. That agreement should include detailed descriptions 
of internal controls. Today, this disconnect results in poor controls and injects risk in 
every transaction. 

This should not absolve DOD t^encies of their own responsibility. DOD agencies 
should not rely on outside entities for their financial management. Agency- 
management must be accountable for financial management - financial management 
policies, procedures, and the resulting data - and make its reliability a priority. 
Delegating this responsibility to service providers or others will dilute accountability 
and the accuracy and reliability of financial information will suffer. 

Weak internal control environment 

Internal controls are the plans, methods, and procedui-es that provide reasonable 
assurance that objectives are being achieved in the following areas; (1) effectiveness 
and efficiency of operations, (2) reliability of financial reporting, and (3) compliance 
with appEcable laws and regulations. Financial statement audits often find weaknesses 
in these areas and make reconunendations on how to improve. In an organization as 
large, complex, and decentralized as DOD, a unifonn approach to internal controls 
would greatly enhance financial management throughout the enterprise. Otherwise, 
Defense agencies and service providers are left to adopt their own approach to 
internal controls, which leaves sound financial mant^ement to chance. Moreover, 
without a unifomr approach, it is difficult to share and adopt lessons learned in all 
DOD t^encies and service providers. Ihe DOD controls environment is far from 
standard, resulting in a decentralized, sometimes ineffective, financial management 
environment. While a weakened internal control environment, in itself, does not mean 
an opinion cannot be issued on the Department’s financial statements, it does mean 
that the audit is more time consuming and costly. 

Leigacy data and systems 

As described in the previously cited GAO report, DOD financial management “relies 
on over 2,200 business systems.” Tlus would be difficult enough were such systems 
under some standardization. Unfoitunately, consistent policies on data management 
are not in place. For instance, financial data in some systems, though important for 
budget execution, is not required to be maintained for any period of time. Likewise, 
beginning balances are often unauditabie. There is simply no consistent policy for 
maintaining data and records that meet professional standards. 

In tny view, DOD should not go back and undo the sins of the past - the cost of 
auditing old transactions recorded in financial systems would far outweigh the 
benefits. But it does need standard policies and procedures in place to govern systems 
and the data they maintain. DOD must be able to provide auditors data that support 
reported balances in a timely fashion. Furthermore, all shared systems and processes 



42 


should undergo SSAE 16 testing to enhance their efficiency and cut the cost of the 
audit. 

DoD’s financial management workforce 

Human capital is a major management challenge throughout the federal government. 
But the chain of command in the Defense community, like in other areas, adds 
complexity. Financial management officials at headquarters have no authority over 
financial management professionals in the field. Under such circumstances, local 
financial managers are more loyal to local commanders dian to top DOD and 
component financial executives. This lack of a financial management chain of 
command makes it difficult to apply consistent financial management policies and 
standardized processes throughout the Defense enterprise. 

Too many layers of management in DOD financial management organizations also 
impede progress. Flattening organization structures throughout DOD’s financial 
management workforce would improve audit timeliness and efficiency. 

Conclusion 

I’ve discussed the challenges to audit readiness, as requested. And though they are 
many, the talent and energy being invested by DOD in improved financial 
man^cment is unprecedented. With DoD’s continued leadership and attention, and 
the support and pressure applied by panels such as this one, I am sure we will soon be 
reminiscing about just how steep this climb seemed at one time. World class financial 
mani^ement at DOD could be here before we know it. 



43 


About Tracy Porter, CPA, CGFM 

Ms. Porter is a Partner at Grant Thornton with more than 22 years of experience in 
the audit and evaluation of federal government financial statements, internal controls, 
and accounting and financial management systems and operations. She has overseen 
many projects on federal accounting, financial management, auditing and budget, 
along with developing and revising operating policies and procedures for federal 
agencies and designing or evaluating financial reporting internal controls. In addition, 
she has directed projects aimed at helping agencies obtain unqualified audit opinions. 
Ms. Porter has extensive experience and expertise in Department of Defense financial 
management, including in reporting, accounting, budgeting, and disbuj-sing. 

About Grant Thornton LLP 

The people in the independent firms of Grant Thornton International Ltd provide 
personalized attention and the highest-quality service to public and private clients in 
more than 100 countries. Grant Ihomton LLP is the U.S. member firm of Grant 
Thornton International Ltd, one of the six global audit, tax and advisoiy organizations. 
Grant Thornton International Ltd and its member firms are not a worldwide 
partnership, as each member firm is a separate and distbct legal entity. Grant 
Thornton’s Global Public Sector, based in Alexandria, Va., provides expert audit and 
audit readiness services to major federal departments and agencies and to state and 
local governments. 

Visit Global Public Sector at ww\v.in-antrhornr(sn.c()m,'''publicsect or. 



44 



Tracy Porter 

Partner - Global Public Sector 
Grant Thornton LLP 


Tracy has over 21 years of experience in the audit and evaluation of 
federal government financial statements, internal controls, and accounting 
and financial management systems and operations. She has overseen 
numerous large engagements demonstrating her extensive knowledge of 
federal accounting, financial management, auditing and budgeting to 
include developing and revising operating policies and procedures for 
federal agencies and designing or evaluating financial reporting interna! 
controls. She specializes in auditing federal government financial 
statements as well as preparing federal government agencies for audit. 
Tracy has extensive experience and special expertise in Department of 
Defense financial management. 

Before joining Grant Thornton, she was a Senior Auditor with the 
Government Accountability Office where she was responsible for auditing 
the financial statement and internal controls of Department of Defense 
entities. 

Tracy is a graduate of West Liberty State College in West Liberty, WV. 

She is a licensed Certified Public Accountant (VA and DC) and a Certified 
Government Financial Manager. She is member of the American Institute 
of Certified Public Accountants and the Virginia Society of Certified Public 
Accountants and active in the Northern Virginia Chapter of the Association 
of Government Accountants and the Washington DC Chapter of the 
American Society of Military Comptrollers. 


Tracv resides in Centreville. VA with her two children. 



45 


DISCLOSURE FORM FOR WITNESSES 
CONCERNING FEDERAL CONTRACT AND GRANT INFORMATION 

INSTRUCTION TO WITNESSES: Rule 1 1, clause 2(g)(5), of the Rules of the US. 

1 louse of Representatives for the 1 ! 2*'' Congress requires nongovernmental witnesses 
appearing before House committees to include in their written statements a curriculum 
vitae and a disclosure of the amount and source of any federal contracts or grants 
(including subcontracts and subgrants) received during the cunent and two previous 
fiscal years either by the witness or by an entity represented by the witness. This form is 
intended to assist witnesses appearing before the House Armed Services Committee in 
complying with the House rule. 

Witness name: t 

Capacity in which appearing: (check one) 

Individual 

2 Representative 

If appearing in a representative capacity', name olThc company, association or other 
entity being represented: Jcr.TJArTr ~ n-teac?Ni rOoJ LL-P 


FISCAL YEAR 2011 


federal grant(s) / | federal agency 
contracts 

dollar value 

subject(s) of contract or 
grant 






A 


“ , | 







I 



j 


FISCAL YEAR 2010 


federal gTant{s) / 
contracts 

federal agency 

dollar value 

subject(s) of contract or 
grant 









SUH:- 

r -/-A ) ! ; 

j JGG - 











FISCAL YEAR 2009 



46 


Federal grant js) / 
contracts 

federal agency 

dollar value 

subject{s) of contract or 
grant 










-Af 


r. 










. 






Federal Contract Information: If you or the entity you represent before the Committee 
on Armed Services has contracts (including subcontracts) with the federal government, 
please provide the following information: 

Number of contracts (including subcontracts) with the federal government; 

Current fiscal year (2011) 

Fiscal year 2010: 

Fiscal year 2009: 

Federal agencies with which federal contracts are held: 

Current fiscal year (2011) 

Fiscal year 2010: 

Fiscal year 2009: 

List of subjects of federal contract(s) (for example, ship construction, aircraft parts 
manufacturing, software design, force structure consultant, architecture & engineering 
services, etc,): 

Current fiscal year (2011): ; 

Fiscal year 2010: __ _ 

Fiscal year 2009: . 

Aggregate dollar value of federal contracts held: 

Current fiscal year (2011) 

Fiscal year 2010: 

Fiscal year 2009: 





2 



47 


Federal Grant Information: If you or the entity you represent before the Committee on 
Armed Services has grants (including subgrants) with the federal government, please 
provide the following information: 


Number of grants (including subgrants) with the federal government: 

Current fiscal year (201 1); 

Fiscal year 20 10: 

Fiscal year 2009: 

Federal agencies with which federal grants are held: 

Current fiscal year (201 1 ): 

Fiscal year 2010: 

Fiscal year 2009:~ 


List of subjects of federal grants(s) (for example, materials research, sociological study, 
software design, etc.): 


Current fiscal year (201 1):^ 

Fiscal year 2010: 

Fiscal year 2009:_ 


Aggregate dollar value of federal grants held: 

CuiTent fiscal year (201 1 ): 

Fiscal year 2010: 

Fiscal year 2009: 


3 



48 


Grant Thornton 


November 14, 2011 


The Honorable K. Michael Conaway 
Chairman 

Panel on Defense Financial Management 
Committee on Armed Services 
Washington, DC 20515-6035 


Dear Chairman Conaway: 

In response to the requirement in Rule 11, clause 2(g)(5), of the Rules of the U.S. House of 
Representatives for the 112"’ Congress to disclose the amount and source of federal 
contracts and grants by my employer. Grant Thornton UP, I offer the following: 

Grant Thornton LLP does a substantial amount of business with the federal 
government. It has contracts with most major federal agencies. It performs audit 
and audit readiness work under contracts with federal agencies, as well. Grant 
Thornton's DUNS Number is 128159105 and its CAGE Code is ICDSl. 

Please let me know if you require further detail to satisfy this requirement. 

Sincerely, 


d Auditability Reform 


Audit • Tax • Advisory 

Grant Thornton LLP 

333 John Carlyle Street, Suite 500 
Alexandria, VA 22314-5745 
T 703.837.4400 
F 703.837.4455 
■,L w.vGr3r,tThf;rnicn.?om 


Partner 

Grant Thornton 

Global Public Sector 

333 John Carlyle Street, Suite 500 

Alexandria, VA 22314-5745 



Grant Thornton LLP 

US. member fcm of Grarri Thornton internatiorai LW 



49 


Department of Defense Audit Impediments and Audit Readiness Testimony 
Mr. Mark Kecley 

Partner, PriccwaterhouseCoopcrs LLP 
November 17, 2011 

Chainiian Conaway, Ranking Member Andrews, and .Members of the Panel, it is a pleasure to 
be here today to share my perspectives about "the impediments to the Department of Defense 
(DoD) achieving audit readiness and the actions DoD needs to take to become audit ready." My 
audit readiness perspectives come from 27 years of public accounting experience, including 20 
years in the commercial sector and seven years working with the DoD. My experience is 
primarily in information systems auditing, but 1 will also offer an infonned opinion today, to the 
extent that I am able, on broad audit readiness matters within the DoD. The Finn in which I am a 
partner, PricewaterhouseCoopers LLP (PwC), has performed first time audits of several Federal 
government departments and DoD entities, including the financial statement audits of the United 
States Anny Corps of Engineers - Civil Works (USACE) and an intelligence community agency. 
We have also perfonned the service organization audit of the Defense Information Systems 
Agency (DISA). In addition, PwC has worked with the DoD in an advisory capacity since the 
passage of the Chief Financial Officers' Act of 1990 (the CFO Act) by assisting with 
implementation of the Act at DoD. Among other engagements, PwC has been providing audit 
readiness advice to the Office of the Under Secretary of Defense (Comptroller) ((OUSD(C)), 
Financial Improvement and Audit Readiness (FIAR) Directorate for the past three years. My 
own perspectives have been formed by my work on five successful projects that are relevant to 
today's topic: 

1 ) The first service organization audit of DISA, 

2) The first financial statement audit of the USACE, where 1 was responsible for the 
infonnation systems aspects of the audit, 

3) The development and implementation of the FIAR Guidance, which provides step-by- 
step audit readiness instructions for each DoD Component, 

4) The development and delivery of the FIAR Directorate's three-day audit readiness 
professional development course, including a half day leadership-level course, to over 
1 ,000 DoD professionals, and 

5) The signing of the unqualified examination opinion on the audit readiness of the Air 
Force Fund Balance with Treasury Reconciliation Process. 

These five projects provide a basis for the audit readiness insights 1 will share today. 

As I was preparing to testify, I happened to visit the Department of Energy. The lobby of the 
Department's headquarters contains a prominent display about the Manhattan Project and the role 
of Albert Einstein. The display reminded me of a quotation by Albert Einstein that is relevant to 
today's topic, "We cannot solve problems by using the same kind of thinking we used when we 
created them," The DoD did not intend to create the audit readiness challenges it has today. 
Rather, the DoD developed and implemented processes and systems tailored to achieve its overall 
functional mission, and audit readiness then became an imperative. Because the DoD’s 
incumbent processes and systems were not originally designed to meet audit readiness, a "new 
kind of thinking" will be required for the DoD to address the requirements of an audit-ready 
organization. 

Since the CFO Act was passed in 1990, one of the most significant changes in audit readiness 
thinking that has occurred in the DoD is the development and implementation of a financial 
improvement and audit readiness strategy. Rather than attempt to audit an entire Component all 



50 


at once, the strategy prioritizes financial improvement work into manageable waves of audit 
activity. The audit readiness of the statement of budgetary resources (SBR) by 2014 is a high 
priority wave of audit activity and a primary reason for our presence here today. The DoD has 
already made significant audit readiness progress. For example, the May 2011 FIAR Plan Status 
Report states that DoD organizations with unqualified audit opinions received $96 billion dollars 
in budgetary resources in fiscal year 2010, which is already more than the budgetary resources 
under audit in 1 3 of the 24 agencies subject to the CFO Act. 

Although progress has been made towards audit readiness, the pace of progress must 
accelerate if the DoD is to meet the 2014 SBR audit readiness date and the 2017 overall audit 
readiness date. The work ethic of DoD personnel is strong and the DoD can accomplish any goal 
it sets for itself. The 60-day SBR plans that are currently being developed by each Component 
will soon provide detailed blueprints for how the DoD will meet the latest audit readiness 
deadlines. Based on PwC’s experience to date, the DoD should continue to improve its financial 
management and audit readiness efforts in three ways, as the 60-day plans are implemented: 

1) Enhance the skills of personnel resources through the addition of certified public 
accountants (CPAs) with financial statement audit experience and continue to 
implement of the OUSD(C)'s financial improvement and audit readiness professional 
development program and the financial management certification program. 

Although the DoD has to date spent a great deal of time and energy documenting 
processes, we have learned that the greatest benefit to audit readiness is typically a 
consequence of testing controls and testing for the existence of supporting documentation and 
then quickly remediating the problems identified through the testing. This type of test work 
requires appropriately trained and skilled auditors. 

As stated in the FIAR Guidance, the management of human capital is a significant 
element of the internal controls environment. Although hiring CPAs is an important aspect of 
improving the human capital necessary to achieve audit readiness, not all CPAs have the 
requisite audit readiness expertise. CPAs who specialize in areas such as tax, budgets, or 
systems may not have developed the tools necessary to productively participate in improving 
audit readiness. For example, the Government Accountability Office (GAO) Financial Audit 
Manual and the Yellow Book of Government Auditing Standards use the word "judgment" 
more than 270 times throughout 1,300 pages. CPAs who have federal financial statement 
audit experience are trained to apply this judgment such that they can make the decisions on 
controls and documentation necessary to successfully prepare the DoD for a financial 
statement audit. 

The OUSD(C) is in the process of evaluating its resources and implementing a financial 
management certification program, the key goals of which include a framework for financial 
management development and a mechanism for financial management training, decision 
support, and career leadership. The work ethic of DoD personnel is strong, but the additional 
skills they can gain through this certification program will make them more productive. 

2) Ensure that functional leaders and financial leaders throughout the DoD, including the 
leaders of Components as well as shared service organizations, are held equally 
accountable for audit readiness. 

As stated in the FIAR Guidance, senior leadership oversight for audit readiness is driven 
by the Deputy Secretary of Defense/Chief Management Officer, the Under Secretary of 
Defense (Comptroller ), the DoD Deputy Chief Management Officers, the Military 
Department Chief Management Officers and Financial Management/Comptrollers, as well as 



51 


senior leaders from the functional and financial communities. The majority of internal 
controls and documentation that must be analyzed in a financial statement audit are owned by 
functional areas rather than financial areas. For example, records of promotions used to pay 
service members are maintained by the Personnel & Readiness community. The functional 
areas must maintain data in an auditable form to accomplish a financial statement audit. 
However, functional personnel and financial personnel do not need the same type of training. 
Of course, functional personnel need to be trained to achieve their functional mission, such as 
maintaining property, but they should also be trained to understand financial objectives, such 
as the completeness of property records. Similarly, financial personnel should be trained to 
understand the activities of functional areas, but the financial people should have a primary 
role in working with functional personnel to design effective internal controls and quality 
documentation standards that functional people can follow, such as the proper storage of 
property documents in an easily accessible manner. In addition to the nature and extent of 
training provided to functional and financial personnel, the degree of standardization used to 
design and implement effective internal controls impacts audit readiness. Standardization 
improves the efficiency of an audit and generally improves the efficiency of an organization, 
but can be particularly complex to accomplish from a business perspective. For example, 
DoD's acquisition process is significantly complex and relies upon multiple systems and 
various skilled resources, but it is a worthwhile goal that is gamering attention from DoD 
leadership, especially with respect to ERP implementations. As functional and financial 
persomiel are trained in their respective financial responsibilities and the degree of 
standardization is determined, functional and financial leaders throughout the DoD should be 
held equally accountable for audit readiness. This is already happening through 
organizational and individual perfonnance plans and evaluations, but must continue to be 
emphasized. 

The DoD has more service providers (agencies performing processes, managing systems 
and hosting systems that affect Component financial statements) than any other Federal 
department. The DoD recognizes that shared service organizations must be audit ready in 
order for their customer Components to be audit ready. The DoD is making a concerted 
effort to align the roles and responsibilities of shared services organizations, such as the 
Defense Finance and Accounting Service (DFAS) and DISA, with the audit readiness needs 
of the Components. These efforts are now taking place and are happening at a detailed level, 
such as the mapping of each service provider's transaction processing activities to financial 
statement control objectives that the Components and their auditors need to see. 

3) Ensure legacy or ERl’ systems are configured to report data in the financial 

statements as prescribed by Generally Accepted Accounting Principles (GAAP), and 
also ensure that computer controls are designed into ERP systems throughout the 
entire implementation process. 

Auditors are system agnostic - that is, a system does not need to be an ERP solution to be 
auditable. Rather, to achieve audit readiness, systems must do three main things: 

1 ) Process transactions in accordance with GAAP, 

2) Capture and retain transaction data so that it can be traced to the financial 
statements (e.g, produce an audit trail), and 

3) Maintain transaction data in a reliable computer control environment. 

ERPs can facilitate the achievement of these requirements, but they are not solutions by 
themselves. Systems will only do what we tell them to do. For example, if a legacy system 
was not properly designed to process an accounting transaction, changes to the underlying 



52 


accounting treatment would need to be understood before new system logic is developed or 
the legacy system is upgraded to an ERP solution. The DoD should continue to follow the 
FIAR Directorate's requirement that Components begin by demonstrating how the 
implementation of ERPs (or the modernization of older legacy systems) will address known 
internal control deficiencies and process compliance issues. 

I am a systems auditor rather than a systems implementer, and therefore have not been 
involved in determining whether an old system is updated or replaced entirely with an ERP 
solution. However, I have been involved in auditing ERPs. The DoD's ERPs use well- 
known, proven teclmology that is inherently controllable. However, computer controls that 
may not have existed in the older systems need to be considered up front and programmed 
into any new or upgraded system. The "E" in ERP means "Enterprise," but an ERP solution 
rarely replaces an entire systems enviromnent. ERP's inevitably need to speak to older 
systems. Accounting and auditing expertise is necessary to figure out which controls need to 
stay in the old systems, which controls need to be programmed into the new .system, and 
which controls need to be programmed into the interface between the two systems. 

Systems implementation projects are understandably focused on system functionality, 
while some key controls, especially those related to logical security, are sometimes 
implemented as a secondary activity. Implementing system functionality and controls at the 
same time increases ERP project complexity, but leads to improved audit readiness. If 
enough key controls are not implemented into the ERP in time for a financial statement audit, 
an auditor may not be able to rely on the data. For example, on one of my first year audits the 
payroll data came from a system that did not provide sufficient internal controls, so we were 
required to statistically test 800 sample items across the United States, which required 8,000 
hours. In the second year of the audit, the payroll system provided some reliance on internal 
controls, so we were able to perform much less test work, reducing our time to approximately 
400 hours. In order to apply lessons learned from this first-year audit experience, all ERP 
projects should involve audit readiness professionals who have Federal financial systems 
audit experience, so that they can ensure that the systems subject to a financial statement 
audit satisfy the computer control objectives established in the Federal Infonnation Systems 
Control Audit Manual (FISCAM). The FIAR Directorate has already made significant 
progress helping the Components understand the applicability of FISCAM to their computer 
processing environments, 

I would be pleased to expand further on these three areas during the question and 
answer period today. 



53 



Mark Keeley is a Partner with PricewaterhouseCoopers LLP (PwC). He is 
responsible for his Firm's Financial Management and Information Systems Audit Practice 
dedicated to the Department of Defense (DoD). Mr. Keeley is a Certified Public 
Accountant (CPA) and a Certified Infonnation Technology Professional (CITP). He 
holds a Bachelor of Science in Accounting and Computer Science from the University of 
Massachusetts at Amherst and a Master of Science in Finance from Boston College. His 
audit readiness perspectives come from 27 years of public accounting experience, including 20 
years in the commercial sector and 7 years working with the DoD. His perspectives that are 
most relevant to financial improvement and audit readiness in the DoD have been formed 
by his involvement in five areas of success within the Department: 

1) The first service organization audit of the Defense Information Systems Agency 
(DISA), 

2) The first financial statement audit of the US Anny Coips of Engineers - Civil 
Works, where he was responsible for the infonnation systems aspects of the audit, 

3) The development and implementation of the Office of the Under Secretaiy of 
Defense (Comptroller)'s (OUSD(C))'s Financial Improvement and Audit 
Readiness (FIAR) Guidance, which provides step by step audit readiness 
instructions that each Department Component can follow to achieve audit 
readiness, 

4) The development and instruction of the OUSD(C)'s three day audit readiness 
professional development course to over 1,500 DoD professionals, and 

5) The signing of the unqualified examination opinion of the Air Force Fund 
Balance with Treasury Reconciliation Process. 



54 


DISCLOSURE FORM FOR WITNESSES 
CONCERNING FEDERAL CONTRACT AND GRANT INFORMATION 

INSTRUCTION TO WITNESSES: Rule 1 1, clause 2(g)(5), of the Rules of the U.S. 
House of Representatives for the 1 12"' Congress requires nongovernmental witnesses 
appearing before House committees to include in their written statements a cuiTiculum 
vitae and a disclosure of the amount and source of any federal contracts or grants 
(including subcontracts and subgranls) received during the cun'ent and two previous 
fiscal years either by the witness or by an entity represented by the witness. This fonn is 
intended to assist witnesses appearing before the House Armed Services Committee in 
complying with the House rule. 

Witness name; Mark J. Kceley 

Capacity in which appearing: (check one) 

Individual 

X Representative 

If appearing in a representative capacity, name of the company, association or other 
entity being represented; PricewaterhouseCoopers IXP 

FISCAL YEAR 2011 


federal grant(s) / 
contracts 

federal agency 

dollar value 

subject(s) of contract or 

eant 





*See Attached* 

























FISCAL YEAR 2010 


federal grant(s) / 
contracts 

federal agency 

dollar value 

subject(s) of contract or 
grant 






























FISCAL YEAR 2009 




55 


Federal grant(s) / 
contracts 

federal agency 

dollar value 

subject(s) of contract or 
grant 






























Federal Contract Information: If you or the entity you represent before the Committee 
on Armed Services has contracts (including subcontracts) with the federal government, 
please provide the following information: 

Number of contracts (including subcontracts) with the federal government: 

Cunent fiscal year (201! ): ; 

Fiscal year 2010: ; 

Fiscal year 2009: . 

Federal agencies with which federal contracts are held: 

Current fiscal year (201 1 ): ; 

Fiscal year 2010: ; 

Fiscal year 2009: 

List of subjects of federal contract(s) (for example, ship construction, aircraft parts 
manufacturing, software design, force structure consultant, architecture & engineering 
services, etc,): 

Current fiscal year (2011): ; 

Fiscal year 2010: ; 

Fiscal year 2009: 

Aggregate dollar value of federal contracts held: 

Current fiscal year (201 1): ; 

Fiscal year 2010: ; 

Fiscal year 2009: . 


2 




Federal Grant Information: If you or the entity you represent before the Committee on 
Anned Services has grants (including subgrants) with the federal government, please 
provide the following infonnation: 

Number of grants (including subgrants) with the federal government: 

Current fiscal year (201 1): ; 

Fiscal year 2010: ; 

Fiscal year 2009: . 

Federal agencies with which federal grants are held: 

Current fiscal year (201 1 ): ; 

Fiscal year 2010: ; 

Fiscal year 2009: . 

List of subjects of federal grants(s) (for example, materials research, sociological study, 
software design, etc.): 

Current fiscal year (201 1 ): ; 

Fiscal year 2010: ; 

Fiscal year 2009: . 

Aggregate dollar value of federal grants held: 

Current fiscal year (2011): ; 

Fiscal year 20 10: ; 

Fiscal year 2009: . 



57 


pwc 


A0BENDUM TO DISCLOSURE FORM FOR WITNESSES CONCERNING FEDERAL 
CONTRACT AND GRANT INFORMATION 


PntewateriioiiseCoopers LLP (PwC) is pleased to submit to the U.S. House of Representatives 
House Armed Services Committee our response to Rule 11, clause 2(g)(5). of the Rules of the U.S. 
House of Representatives for the 112'*’ Congress. PvvC has no grant information to disclose that is 
germane to Pu'C's' November 17, 2011 financial improvement and audit readiness testimony. The 
amount of Department of Defense contract (including subcontract) awards received during the 
lunentand two previous fiscal years (2009, 2010 and 2011) by PwC for work that is germane to 
\ wC's November 17, 2011 financial improvement and audit readiness testimony is as follows: 

Nine (9) contracts whereby PwC is the prime contractor in the amount of $30,47 1,645. 

Five (5) contracts whereby PwC is a subcontractor in the amount of $1,492,847. 

PwC appreciates the opportunity provide our perspectives on the impediments to DoD achieving audit 
readiness and the actions DoD needs to take to become audit ready. 


Priceu'tilerhouseCoopers LIJ^, 1800 Tysons Boulevard, McLean, 22102 
wu'iv pwe com/publicsector 




DOCUMENTS SUBMITTED FOR THE RECORD 


November 17, 2011 





( 61 ) 


62 



ontents p 


xoduction 

f 

I 

adei^hlp Support 

f 

dit Readiness Human Capital 

9 

internal Controls 

1 C 
JL 

Supporting Documentation 

18 

Infomu^on Ttechnology 


O'] 

-tMir 

Conclusion 



63 



The enactment of the Chief Financial 
Officers’ Act (CFO Act) of 1990 and the 
Government Management Refonn Act 
(GMRA) of 1994- opened a new em of 
financial management in the Fedeitd 
government. These two laws meant that 
Federal Executive Agejicies were required 
by law to prepare finandai statements 
and liave them audited by independent 
auditors. 

PiicewaterhouseCoopers LLP has 
provided exlensh'e intenial control 
assessments and CFO Audit Act 
in^leineiitation support for two decades. 
We have served a mmiber of Federal 
Executive Agendes by helping them 
succeed \dth audit readiness efforts and 
acliieve a sustainable audit opinion. 

Tliis guide, “DoD Audit Readiness 
Es.sent!als,” outlines key audit readiness 
competencies that have prown successful 
with Executive Civilian Agencies 
and DepaitHKint of Defense (DoD) 
Organizations tliat have aclrieved dean 
audit opinions, We lia\^ prepared it to 
help the Department as a whole take the 
right steps to achieve and sustain a dean 
audit opinion. 

We Iiave identified the five essential atidit 
readiness competencies -• presented as 
pillars itiPigure 1 - and stixictiued tins 
guide to discuss each one so they may be 
adequately addressed in preparation fora 
fitil-scope financial, statement audit: 

* Leadership Support: Lcadeisliip 
support is defined by a culture in 
wluch operational leaders diampion 
audit readiness. Leadership support 
from across tire Component aeates a 
synergistic envii'orunent that helps to 
influence cooixlination mid cooperation 
in acliieving audit readiness. 

* AuditReadinessHuman Capital: 
Appropriate audit readiness hiunan 
capital means Itaving the right people 
with the right skills, education, and 
experience to identify audit readiness 
impediments and develop workable 
soh.itions. Audit readiness human 
capital will help address the necessary 
internal controls or sets of controls 
(automated and manual), as well as 
determine the adeqtiacy of supporting 









iteivV '■-■’'••.r*: 





1 ■ 3 fi-^itOfSv 


tue '•uceess ofiheGFO Ac| an.I HFl 





jtW? -V ‘ c 



> wtuiivebianclKvperaDOj'i 

l-lJ Lj ^ 


documentation and tlte reliance on 
propel' infom^tion ^^stems and data. 
Internal Controls: Internal controls 
is the set of procedures designed, 
implemented, and aiairttained to 
provide reasonaMe assurance about tlie 
adiievement of reliability of financial 
rejwrting, effectiveiKss and efficienOT 
of operations, and compliance with 
applicable laws and regulations. 
Effective internal ccattrols denronstrate 
a Comporientis ability to assert that its 
finaiKdai statements are feirty stated 
in accordaiTO vvith generally accepted 
accounting principles. 

Supporting Docimientation: 

A Component's supporting 
doamientation is compiised 
of electronic and hard-copy 
evidence supporting tlie amount, 
classification, summarization, and 
reporting of indhidual business 
events. Organizations must ptodurx 
adequate supporting dociunentation 
to allow auditor's to conclude on the 


fair presentation of the fmaucial 
statements. 

• Information Tbciinology: Information 
teclmology includes the Eiiteipiise 
Resomre Planning (ERP) financial 
systems, feeder systems, micro- 
applications, and electronic data 
necessary to pr epare the Component’s 
financial statements. Tlie ability to 
rely on electronic data is contingent 
r.rpon effective information teclmology 
controls witliin and between sj^steins. 
Within each of these audit readiness 
competencies, we will answer the 
questions most commonly asked by 
organizations working to become 
audit-ready. Tlie answers pi'esented in 
tills guide ai'e based on audit standar ds 
combined with our ciunulative experience 
pei'fonning Federal fiiiancial statement 
audits and audit readiness projects. In 
addition to providing answers, we abo 
discuss practical solutions as to how 
OiganizatioiLs can get started with audit 
readiness. 


Auditabta Financial Statemants 


5* 


.♦•If / 


Figure 1: The five essential audit readiness competencies. 


I ' 


An insidsr’s .Anav.^rs to Your Most Cli.ie.'ition'v 1 



64 



‘ Leadership Support 


introikictioii 

We han« n«ed one ojinmon attribute 
resident within Federal organizations 
that harre been successful with 
audit readiness and have received 
imqualiffed audit ojrinions. This 
is support from leaders aax>ss 
the organization. Organizational 
leadership support jun^-statts an 
Organization’s ability to acliiev’^e 
auditable financial statements and 
accelerates its progress toward audit 
readiness. 

Audit standards lielp define exactly 
wlro in the organization needs to 
be invoh'ed in a financial statemeitt 
audit and, therefore, in audit 
readiness efforts. Organizational 
leadership consists of urore tlian 
the Chief Financial Olficer (CFO) 
and supportive financial managers. 
Oiganizational leadeisliipmust 
include those individuals who 
liave responsibility forthe strategic 
direction of the organization. In 
other words, leadeisliip is required 
from the Coimnanding General and 
equivalent leadeis of programs and 
missions. The audit coimnunity in 
both tire conmiercial and Federal 
space lias foiuid tliat to be successful, 
organization heads must be 
supportive of aud actively engaged in 
audit readiness eflbits. 

Why do I need leadership support: 
for audit reiuimess suci^ss? 

Often, organizations undergoing 
audit reading initiatives believe 
that audit readiness responsibilities 
lie solety with the Chief FinaiKial 
Oftker (CFO). This typically leads 


to delays in audit readiness progress or 
e\en audit feiluie, because CFO’s may 
not liave the necessary’ authority to effect 
cliange for business processes outside 
of their domain. For example, auditois 
require transaction source documents, 
such as invoices and recemug reports 
for purcliased items, in order to perform 
financial tests. However, the CFO does not 
physically control the use aifo retention 
of such documentatioii. The inability 
to engage organizational leadersliip to 
support audit readiness efforts often 
leads to woik-aromid solutions executed 
witliin tlie finance office. Tliese are 
often inefficient and ineffective, thereby 
increasing tlie cost to the organization 
rather tlian realizing the true value of 
audit readiness, which is to provide 
reliable data tliat increases the efficiency 
and effectiveness of mission operations. 
Consequently, the CFO needs support 
fi-om the organization’s leadeisliip to 
drive cliange and monitor progress witliin 
tlie organization’s progiam/mission 
areas. 

In April 2006, tlie DoD Office of the 
Inspector General (OIG) contacted PwC 
to support its Fisc’al Year (FY) 2006, FY 
2007, and FY2008 avidits of the USAGE/ 
Civil Works financial statements. This was 
the fis'st Independent Public Accountant 
(IPA) -assisted financial statement audit 
of USACE in its 230-plus year liistoiy. 

Tliis was the first major entity appro\’ed 
for audit imder the DoD Financial 
Improvement Audit Readiness (FI AR) 
program, 

One of the catalysts forthe audit’s success 
was the Commander’s support. Tire 
Couunanding General required division 




65 


aiid distiict Coimiiandei's to thoiouglily 
siAppoit audit elfotts. Tlie USAGE 
Cooimaader required the btisiaess iiiiit 
cormiiands to report the status and/ or 
success of their audit efforts on a inontMy 
basis. Additionally, the USAGE Gliief of 
Staff actively paiticipated in all internal 
progress retdews (audit status meetings) 
to unpiement solutions to overcojne audit 
impediments across all commands. 
Oi:ganizations should emulate the USAGE 
approaclj to create leader sliip sup|x>rt 
across pi'ogiam/niission areas. lb ensiue 
success, the Conunanding General needs 
to lequii'e the leaders of each program/ 
mission area to be accotmtable for audit 
readiness efforts. Additionally, the Cliief 
of Staff sliouid participate i n all audit 
readiness status meetings to monitor, 
support and facilitate the resolution of 
cross-organizational impediments or 
issues. 

he.vatmofa 
t . >• u t’JiUt? 

Many organizatronal leaders witliin 
the DoD liave never' experienced a 
financial statement audit. Tlxerefbie, it 
is important that financial mana^j s be 
able to help them understand the merits 
and appreciate the value of a financial 
statement audit. Iirdejxendent auditor- 
reports provide stallholders (Coitgress, 
oversight bodies, taxpayers, etc.) with 
an independent third-party opinion as 
to ■whether the organization’s financial 
results ai-e fairly stated in accordance 
with Generally Accepted Accounting 
Principles (GAAP). Stakeholders can use 
tills information to conclude whether 
the oi-ganization can demonstrate 
accountability for its Federal fimding and 
execute its niission(s) in an effective and 


rau.’n9’niol Anditn^, Siajalfuds (SAS) No. lldjlhc* Auditoi'r < • 
cah Those Uiaigcd vrii liGovousance, requms- audrJoa fo < .ni'' ii . 
ith otgjmizjlioruii f»"ailprsinp arid dof iik<s riie leadorsas ■fhasr ■ h ' 1 
‘.spojK.jlMhJy forthe.sfraiegir direr non of lire orgaui^auon. 


efficient mamier. FurthennDre, Federal 
orgauEatiom that can demonarate 
fiscal responsibility through independent 
financial statement audits will haw 
inaeased credibility with ^akeboMets, 
Congressional committees, and tire 
American people. 

The true valtK of a financial statement 
audit lies i«>t just in corrqiliance, w'liich is 
marKlatory, bitt in the improved |K^ocesses 
and controls that undergird mission 
operations and make for a more effectiw 
and powerful figh ting force. 

Hayvdoiif- audit j-sarfinass niv 
-jrganimtkm? 

Oigmiizations manage their opei^uions 
based upon budgetary resoui-ces and 
expenditiues. Sound budgetary data 
helps leaders gauge the use of hinds 
toward inksion aclikwment. Audit 
readiness in^rows the quality of 
financial information, vvluch improves 
the efiicienc}' and effectiveness of mission 
programs. Mission funds are used to 
exeaite business events which are linked 
to accoimting transactions for financial 
reporting, leading to better data for 
dedsion-making. 

Audit readiness links business event 
activities to accoiuiting ti-ansacrions aiid 
ensures that the accoimting transactions 


are properly reported in the financial 
records. The ability to link business events 
processed tiu'ough an end-to-end business 
pr ocess to accounting transactions is 
critical to successful audit readiness. For 
example, a military payroll transaction 
is initiated when service men/women 
produce goods or services-a business 
event. Tire accoimting transaction is 
evideirced by leave sli|)s used to record 
costs, benefit expen.se and tenefit 
liabilities. Conect leave slips are the 
link bettveen the business event and the 
accoimting transaction. Audit readiness 
ensures that the processes to record 
military' }jay liave the proper internal 
controls to effectively and efficiently 
expedite payroll processing, wiiile 
maintaining adequate dociunentation 
as evidence to support tlie financial 
reporting of the business event -- therely 
executing the mission. 

Ffecording business events in financial 
iiecofds also provides program/mission 
leaders a t'epository of data with which to 
manage their pixrgrams. Tliis eliminates 
tlie need to liave separate spreadsheets 
and/or reports aeated outside of the 
financial records for decision-making 
puqjoses, enabling program^, mission 
leaders to do more with less. 


An insider's An8>.vers to Your Most CommoniyAsted tAicsfioos ,'f 



66 



Figure 2: Organizational leadership support is neccesary P>r successful audit 
readiness. 


Orgaiiizatioiis niay follow the steps below 
to obtain supprait ftom leadei-s for audit 
readiness initiatives. 

Stcip D'lsmtjn.strate why 
hi‘H.de:rs.hip support is 
Be piepaied to demonstrate why 
organization leadersliip support, sliown 
in Figure 2, is necessary. The CFO oi' 
the audit laadiness fiaandal manager 
may liave to get involved with the 
organizatioir’s program/inission areas 
to educate leaders on the need for audit 
readiness -- a tiine-coiisiuning process. 
One organization that lecently aclrieted 
a dean audit opinion spen t nearly 18 
months on consistent comimmication 
and education by tlie CFO and Director 
of Audit Readiness. After 18 nronths, 
however, the piogram/mission leader's 
were voIuirta,rily si.rppoitive of the audit 
readiness efforts, and even lused impixrved 


cast infomration K> help them manage 
their programs/inissons. 

Step 2: Deassonstrate the valwe 
of a fiimHciai statement atidit. 

Most organizational leaders witliin 
the DoD come horn a program/ 
nrission background and may not have 
experience with a finandal statement 
audits. Therefore, it is important to be 
able to demonstrate that the value of a 
finaiKial statement audit extends to the 
positive message it sends stakelioldeis. An 
imqualifred audit opinion commiuiicates 
tliatthe financial management data of the 
organization is fairly stated - oj‘, in other 
words, reliable. 

Step 3: Desraionstrate how 
audit ceadmess benefits the 
organisation. Be pr epared to discuss 
tlie value of audit readiness and hate 


a soiurd audit readiness plan that 
demonstrates a prioritized approach 
that includes interim milestoiies. The 
FIAR Guidance, wliich is issued by 
the Office of the Under Secretary of 
Defense (Comptroller) (OUSD(C)) FIAR 
Directorate, provddes eui authorized DoD 
audit readiness plan and methodology. 

It also prescribes the use of Financial 
Impi'ovement Plans to monitor progress. 

It is important tliat organizational leaders 
be able to track audit readiness progr ess 
via measurable rmlestoiies to monitor how 
improvements translate mto benefits to 
tlie orgamzation. 

Step 4 ri ‘ ^ s . 

f Create iprocessfor 
leadership to re main engaged m audit 
readiness to sustain momenftun and 
drive organization-wide improvements. 

As noted earlier' with the USAGE 
example, the CFO was able to work with 
tlie Coiimianding General to establish 
a process for contimial leadersliip 
monitoring and support tiuougliout tire 
audit readiness effort and, eventtially, 
the audit. The Commander held each 
divisioiv'directoiate I'esponsible for 
audit status. MontWy progress reports 
were given to the Creneral Commander. 
Additionally, the Cliief of Staft’ attended 
ah internal progress review meetings. 

This same approach should be used 
for audit readiness efforts, as well as to 
ensure consistent organization support 
and awareness. It may also be appropriate 
for lire Commander to provide financial 
incentives to Senior Exectitives for 
audit readiness success in tlreir annual 
development plans. 

Execution of each of tliese steps will 
lead to the final objective of obtaining 
leadership support - wliich, in turn, will 
drive effective audit readiness progress 
leading to a successful and sustainable 
audit. 


4 DoD Airil't Es^ntlais 


67 



iiec 

essaiy w adiie\ t 

<uu 

lit readiness anti 

del 

nonstrate finaiifi 

ini| 

iiovenifeiit? 

• Ha-. 

(' I doiie etioti.'th 

10 t 

twnreiny team 

lias 

acletl»ate traitiiii 


L’liieye audit 

1 en 

timess? ■ fj 

* Uoi 

vddlgerstaii^ 


^ Audit Readiness Humam. 
Capital 


Successful aiidk readiness efforts iK o” * 


begin with putting the a|jpjx)priate 
human capital in placs -- tlie 
ri^it people with tlK rigttt skilb, 
education, and experience to identify 
audit leaditKSS inqrediments and 
develop woitabfe solutions. Tliese 
human capital resources will pur 
internal controls or s^ of controls 
(autonrated and manual) in pl^e to 
achieve the organi^tion’s mission 
and financial reporting objectives . 
They will also verify that adequate 
supporting documentation exists 
so the proper level of reliarKe can 
be placed on infonnacion systems 
and data. Wkhout the right human 
capital, resources may be spent on 
tieating tlie symptoms of a lack of 
organizational readiness ratlier timii 
dealiitg with the root causes - such 
as inadequate experieiKe, training, 
or skills. 

As part of evaluating wlretheran 
organization has tlie appropriate 
human capital in place, leaderehip 
sliould ask the following questions: 


f V \ 1 1 t 

il ‘ i 

Oiganizations sudi as the DoD have 
operations that span the globe and 
encompass both public and private 
resources. Managing these complex 
operations requires himdreds of 
operational, accomiting, and budgetary 
systems, as well as thousands of persomiel 
to input and approve transactions. 
Demonstrating financial improvement 
and audit readiness requires an 
Organization to build adequate human 
capital with the proper competencies. Tlie 
workforce must be <iedicated to financial 
improvement and audit readiness 
actmries. Tliis caUs for a mtilti-discipliiied 
team with relevant skilb, practical work 
experience, and sufficient and up-to- 
date training as sliown in Figure 3. The 
fbllorving skills are required: 

Auditors: Understand Federal audit 
requirements. Peiibnn(ed) Federal 
firiandal statement audits, including tire 
impact of infbniiation teclmology on audit 
readiness activities. 



Figure 3: A mulU-disciplinary team is critical to achieving financial improvement and 
audit readiness. 



68 


Information Technology Auditors: 
Understand information technology. 

Have a detailed, worldng Imowledge of 
the Goverimient Accountability Office’s 
(GAO) Federal Information System 
Controls Audit Manual (HSCAM). 

Data Management Specialists: Utilize 
data management tools such as ACL 
Services, IDEA, atid Monarch to identih' 
data anomalies, abnormalities, and 
inegularities. Demonstrate ability to 
segregate large volumes of data to 
facilitate sampling for audit readiness 
testing. 

Statisticians: Underatand statistical 
requiiements and utilize tools such as SAS 
to facilitate .sampling for audit readiness 
testing. 


vffrSiiiihg touisos designed ; 

eloping the conises, only 
:>mfessibn?d5. ■ I't'.'-.;,'';-: •.i:;''-'':- 


Other Spedafiste: ShovvprofiaeiKy' 
with uniqtffi Federal prt^rams such 
as Environmental lialHlides and 
tlieir impact on audit readiness. For 
exanqjle, aoxnmting retprirements 
have spedfk criteria which detail when 
an environmental liability must be 
recognized and who mu^ lecc^uize it for 
iiirancial reporting purpo^s, wiiicli may 
differ from wten the actual event occurs. 
Organizations working to become audit 
ready must have a combinatiou of 
resources that includes representation 
from the competences above to be 
siKxesshil. Without it, oiganizarioirs nm 
tlie risk of not reaching tlie appropiiate 
coiichtsions at key decistou points 
Organizations that deploy a multi- 
disdplined team widi accotmting, 


auditii^, information tecbnolog}', data 
management, and statistical skills will 
able to best demonstrate financial 
improvement and audit readiness. 
Figiirt 4 details the t>'pe of skills, 
experience, and certifications tliat audit 
readiness persomiel should possess. 



Once the appropriate audit readiness 
Imrmui capital lesomces are in place, 
audit readiness sldlls neeti to be sustained. 
Tliis can be accomplished tluoiigh 
continual training and the stiategic 
assignment of resoiuces to projects and 
rasks tliat cliallenge and grow each 
person’s abilities. 

Organizations such as the American 
Institute of Certified Public Accountants 
(AICPA), the Institute of Internal Auditors 
(IIA), the Association of Gov'erament 
Accountants (AGA), and the American 
Society of Militaiy Comptrollers (.ASMC) 
provide audit readiness tiaining. In 
addition, a number of private entities also 
provide accoimtiirg and auditing training 
for new', experienced, and seasoned 
peisonnel. 


[')0[) Al.K(r( Fspotitia's 


69 


C.i(r>gnrt^ 


Fiiur iiiun CoiKiiinq <«| 

• Auditing 
' Information 
Technology 

NewPsrsonnei 

■ Has za'o to four years of es<i>erfence 

■ Utilizes and demonstrates CTgicalttimitffig ^is 

' Stays abi'east of current FetJsai aaxwrtfing, FT, and/cr reporting standsds 

• Understands the DoDC»pnistion’sq)®^ns and sysfens 

• Participates in discussions wi&i personnei conducimg operations to unctestend tne 
impact on accounting 

• Demonstrates professionc^ skepltcsre 

• Prepares qualriydocunieritafon 

Editing 

• BadielofSinAccotmting 

totormation Technotogy 

• Badr^rss m Marragement information Systems or similar 

0^ 


:Sgasoned Personnel ... . , 

Has four to 10 years of experience 

i ■ . Understands D(£ Orge^i^iim qi^adons and determines when to use a ^eoalist 

• Demonstrates ttK^oi^h1ok)wfe(^(^F^^accois^,'ITr»«dfer{a|»v^^Ki^ 

, andconbnuousiydevetopstechrwsilaHjwlerige.-.,' ^ c- . .ru-^v. 

• Perforriistechntc^accc^nhf^reKanSrandftm-cwiSuaaircr 

• Leads dfecussions w^tpersOTnelGOftduGtj^ops^orB'^'.ifetertmBte^ffiagi^c^ • 

, auditreadihess 

Suditmg 

"'■Batto^ocssj'Accounting- ' , 

• CerWedPitotic Accountant (GPA) 
’VCertffledGovemirerrtFfnanciaiMafiagementfCGFM^ , 

•.ye^Sed Defense Finahciat ManagerjCDFM 

toKwmatton Technotogy | 

.f ..Bacli^q« in Management Information Systems wsimitef i 


readiness doGumentehon 

vldehtifiesandsharesiestjMadi(»sEmdlessore ; ; • •• . 

* Demonstrates prOfeSSiOnjJ^eptoSm - 

^.GerWedtofcsThatidn Systems Audfkx 

Informed ^iirity Mariner (ClS^ 

T Certi^mCSdv«nanc» t^ Ent^riseiT{CG^^^^ , • 
>\CSiflftod'fn^atton':TeGhndic^.PrQ^sronaip^^ 


Experienced Personnel 

• Has more than lOyejfs of experience 

• Buiids strong reiattonships with Senior Leader^p to t^t^ bu)Mn ^ fedSate audit 
readiness activities 

• Demonstrates a conprehensive understaiding of Ferte^ acosintBig, IT, sid/a’ 
reporting standards as we8 as DoO's intarr^ ccm&’Ols precedes 

• Demonstrates an undeistanding of audit requrements, indudirg cxinsid^^ of the IT 
environment 

• Identifies and resolves inipediiTBnts fo audit readiness m a tm^ mainer 

• Drives collaboration and leads effwts to de«k^ die audSreadhess ^proacdr fix 
assesss^le units 

• Demonstrates the ability to deliver frm commands 

Auditing 

• Bachekxs in Accounting 

• Certified Pub!icAccountant(CPA) 

• Cahfied Government Financial Manager (CGFM) 

• Certified Defense Financiat Manager (COFM} 

Irrformation Technology 

• Bachelors in Management information Systems or similar 
major 

• Certified inform^ion Systems Auditor {CiSA} 

• Certified Information Secu'ity Manager (CISM) 

• Caiified in Goverrrance of Enterprise IT (CGEIT) 


* Ensures audit readiness personnel have sufficient and rdevsit basring 

i,r C ) 


' P DseS'd^-mar^rnentt^ to id^rtify dataabtronnaKes and arornaies 

Data Management 


.• facilitateseaniiltogfortesteofGnifrois^tostocrf'st^portingdocuiTierrtefi^ 

• BachetorsoiManagementlnfr^-maticn Systems orsimilss' 


;>'sSho««familidi%wih<>ganizatxin's<tato.an^ 

kJ 

ilHIi 

vt^^Shbws fanyhar^.With the scope'll a ^cial statemeMauiU 

Statistics 

smiarmajor 

• Specialists 

• Has a conprehensive understanding of tire sitoject 

• Bachelors in Accounting 


• Has a conprehensive ooderstanding of processK at toe Organizalion 

• Certified PubHc Accountant (CPA) 


• Thoroughly understands fire accounting amt reporting standards 

• CKtified Government Financial Manager (CGFM) 

• Cached Defense Financial Mens^er (CDFM) 

• Certified Infomiation System Security Professiona! 

(CISSP) 


Figure 4: Organizations deploying multi-disciplinary teams will be best able to demonstrate Unancial improvement and audit readiness. 


An Insider's Ans-*ysrs to Your Most ConirnonSy Ajiknd 




70 




i? 




Auciit Ri cIJm r 's o Cssi. > 


Figure 5: Organizations should define their human capital requirements for becoming 
audit ready. 


Orgaiiizations may follow the steps 
presented below to ensure appropriate 
human capital is in place to support audit 
readiness efforts: 

Step '.I : J'ries'stsfy capstal 

Mcptirem ent:®., Using the uifonnation 
above as a starting point, oiganizations 
should define their htunan capital 
requiiBineiits for becoming audit ready, 
as shown in Figure 5. Tliis includes 
identifying the types and numbets of 
lx>sitiom leqi, tired to become audit 
ready, and then determining the sldlls, 
traiiting, experience, and education 


required for eadr type of position. Tltese 
decisions sliouM be doaimented in 
position descT^tions that can be used fi3r 
fiiture hiring of personnel, as well as for 
solidtiug contractor support. 

Step 2r Assess audit 

teadiness htrenant capital. OjKe 
tlie audit readiness positions Irnw been 
defhied, oiganizations slwuld perform 
an assessment of their existing peisoruiel 
aiKl contractor resoiuces. This assessment 
should survey peisomiel and compare 
their shills, training, experience, and 
education to tliose doainieiited in tlie 
position descriptions. 


Stof d- - 

' ' Tlgapsm 
sloUs. traumig, expenence. or education 
are ideiiuhed. the orgarazatiou should 
develop a remediation plan. Ideally, 
current employees could be trained, 
attend additional education classes, 
or lie ofieied rotations into other 
positions to allow them to dose those 
gaps, hi instances when tliat step is not 
practical, oiganizations should look for 
opportunities to rotate the personnel 
into another area where they may satisfy 
position requirements and create space 
for adding new resources. 

Step4j Adslh-Jg Uxidsi 
human t-apsuik If organizations have 
open positions, they sliouki use the 
position descriptions developed in Step 1. 
to find iiersonnel (including contractors) 
who possess the appropriate sldlls, 
experience, aaining, and education to 
support audit readiness. 


Audit Esssdiats 


71 



Internal Controls 


^ Introduction. 

Internal controls is tire set of 
procedxues desigiraj, ^piemented, 
and maintained to provide 
leasonahle assuiancs about the 
achievement of die organizations 
objectives with regard to tlie 
reliability of financial reporting, 
effeciiven^ and efficiency of 
operatKHis, and compliance with 
applicable laws and legulations. 
Internal Controls Over Financial 
Reporting OCOFR) ate tlie 
procedures designed to pro\ide 
reasonable assurance regarding 
the reliability of tlie oiganizmion’s 
financial repoiting. It staits at die 
initiation of a transaction and ends 
with the repoiting of tlie related 
balances in the financial reports. 
Therefore, internal controls over 
the tiansaction piocess inv'olve 
activities at eacli step of tlie end- 
to-end business process, including 
the initiation of the ti'aiisaction, 


maintenance of eadi transaction record, 
the recording of each transaction, and 
the ultimate financial repoiting of the 
transactions. In addition, theyiuclude the 
prevention and detectio n of miauthoiized 
acquisition and use or disposition of assets 
in relation to tlie transaction. 

0MB Circular A -123, Appendix A 
provkles guidance on compliance widi 
tlie FMFIA and ICOFR. At its core, the 
cirailar requires the identification, 
doamientation, assessment, testing, 
and reporting of the organization's 
interaaJ controls over financial reporting, 
riierefore, die requirements of 0MB 
Cu'cular A- 1,23 are a subset of DoD’s audit 
readiness activities. 

The FIAR Methodology, defined in tlie 
FIAR Guidance, includes taslu tliat 
can be leveraged to meet tlie ICOFR 
requirements cxmtained witliin 0MB 
Circ.ular A-123, Appendix A. Tlie 
organization’s integrated execution of 
the FIAR Methodology satisfies the DoD’s 
requirement for conqilying with ICOFR. 


• ; As of Mai’ i?cmeut ai d Fm Igt-r (OMB) CaccU .n 123, 

v:iban^i;^^^^|s.tfuh^»etit^jc5ponsibi c ’•cdeveloj>a«d masnlatnelfecave 

.11:* , I ‘ -• 

: :t'espoB^^^^ageii£y manners and sxdV. 




72 


environment, assess die design of 
intssmal controls, aiui test appropriately 
designed a>ntrols tbat reduce the risk 
Wlien conducting an audit ot a Federal of naterial mis^temeMs (i.e., control 

entitv. the finanaal statement auditor risk). Tte auditor then uses the results 

must toUow auditing standards generally to, among other thirds, determine the 

accepted in the U.S., Government nature, extent^ aiKi turnip of further audit 

Auditing Standards issued by the prot^dures (e.g., substantive testing and 

Comptroller General of the U.S., as well tests of conq^ianre). As noted inFigure 

as 0MB Audit Guidance. In addition to 6, the higher the reliancx tire aiKlitorcan 

proidding an opinion on the financial plac« on internal controls, the lesser tlie 

statements, Government Auditing amount of subSantive proffiduies that 

StcUidai ds require the auditor to l epoit on must be completed, 
the oipuiization’s mtemal controls oeer 'nifirefore it is usually beneficial for 

financial repotting and compliance laith oiganizatioiis to implement. Identify, 
laws and regulations. doaiment, and assess its mtemal controls 

In order for this to occur, the auditor over financial reporting. This will 

must obtain an luiderstanding of facilitate the most efective and efficient 

the oiganization’s internal control financial statement audit, improve 








'c* t o* SupjKMiinq Documenutioft 

' 'i 


Figure 6: The higher the reliance the auditor can place on internal controls, the lesser 
the amount of substantive procedures that must be completed. 


tte organization’s ability to obtain an 
imqualified opinion, and directly reduce 
the cost of the audit. 

It is important to note tliat the process of 
implementing, identifying, documenting, 
and assessing the Oiganization’s 
internal controls ovei' finanda! repotting 
provides a wide range of benefits to the 
organization, ranging ftom a better ability 
to achieve the organization’s missions 
and program objectives to an ability to 
seamlessly comply with the multitude of 
laws, regulations and directives applicable 
to DoD orgamzations. 

Wfmt is a ContmlAciiinty a;!.;.? Innv do ». 

Control Activities are tlie pohaes, 
procedui es, teclmiques, and mechanisms 
tliac help mate ceitain that management 
diieclives aie carried out. Contiol 
activities include: business peifonnance 
reviews; controls over information 
processing (e.g., application controls 
and IT general controls (ITGCs); physical 
controls; and segregation of duties) . 
Oigaiizations should identify control 
objectives for each type of conti'ol tliat, if 
achiei'ed, would pi'ovide the organization 
with reasonable assurance tliat individual 
and aggr egate misstatements (w'hether 
caused by ener or fraud), losses, or 
noncompiiance that is material to the 
finandal statements would be pieveaited 
or detected'. Hie Depaitment’s FIAR 
Guidance defines these as tey control 
objectives (KCOs). 


lU vtniMiiii ( rj iObjsctfvc-s 


.10 !::!oD Aisclit !'tead)Ht;si5 i9ss«>'(tlais 


73 





Civilian,, 
Payroit , 

Payrdt : ^ 
Computetioh / 

inacGiRBtdy 

Salary and benefife ere calculated, 
paid, arrd rscwded based txi aj^yir^ 
^xxqyiate ctete frars acx^afe ft^uias, 
G^cutetiais, ttfidfOT data 

Pajrdl tedinicians vvilf review the repcrt which identifies 
5KyTnentsiesstoan$1 and greater than $5,00(}/$1Q,000 
todvilianson their reactive databases and review tfisir 
payroll ^stem records to determine whether there are valid 
paymeit Iftoeneiomountfor each empioyea'itern is greater 
$5,0(W/10,00D Of te^ than SI , the report is annotated and 
i|xfates are rracte in the payroll system for any invalid payments : 

invdkipa^ci 

be made to . ■ - , 
entotoyess , 

Only vaidpt^itj (S^rursen^ls^;::- 

cdledKHisarefflc&Ktedn the^orit^s^-, : > 
sectioiioflheStatententorBudgetary . . 

Resources 

PE^Ifec^fciaris^lfevi^tfieMaster P^.Hsloryand, 
Ste^^&rpldyee' Record, in boto:dat3bases, for each, employee 
S^tSecufity number feting to ddtermine If an 
if ffie employee should be a^arat^,, , ,, 


Figure 7; Examples of business processes, sub-process, risks, control objectives and control activities. 


Business processes consist of any 
sequence of activities (traitsactions) 
that takes place in order to get work 
accomplished and acliieve the business’s 
objectives. These tiiay range from a simple 
procedure, such as paying an iirvoice, to 
a key element of the business operations, 
such as processing civilian pay and 
purchasing missiles and satellites. They 
may also iitcJude fiinctional processes, 
such as maintaining an organization's 
financial recoixis, to cross-fimctional 
processes, such as an application of 
human resotuoes. 

In short, business prot-esses are 
activities tliat are canied out in the 
normal com*se of business in order to 
aclvieve tlie objectives and mission of 
the oiganization. Tliey should not be 
confused with control activities, wliich 
are the procedures put in place by 


managenKiit to ensure that baisiness 
piocesses are carried out as directed, 
while pioviditig tte organization ivith 
reasoirable assuraiK^ that misstatements 
will be preveiUed or ctetected. 

Figure 7 piovddes additional examples of 
tliese concepts. 

What are. Key Conf/'ols? 

Key condol activities are cliaracteiized by 
oixe oi' more of die foBowdiig: 

• Management reiks upon them 
to prevent or detect matemi 
misstatements in financial reporting; 

• Tl»y address relevaitt financial 
reporting assertions for a material 
activity (e.g., a financial report liiw- 
item); and/or 

• They mitigate one or more significant 
control risks, such as fraud and 
inacauacy. 


It is important that management 
identifies those controls that are key to 
its financial reporting process and related 
transactions. The benefits of identifying 
tey control activities are tuofbld: it 
allow's the organization (dming audit 
readiness) and the auditor (during 
the audit) to specifically Target tlieir 
testing efforts on controls tlrat reduce 
tire risks of material misstatenrents in 
the financial statements, niis increases 
the effectiveness and efficiency of both 
processes, lowering costs and redxrcing 
the impact on personnel. In addition, and 
more importantly, the identification of key 
controls helps the organization identify: 

1) controls tiiat are not key, which will 
spiu efforts to coiTect them; and 2) 
duplicate and/or ledmidant controls 
which, by their elimination, improve the 
eftfciency of the organization’s programs. 


An Jnssder's Ansv^rs to Your Most Ccmfi'wiiiyAsted IJ 




74 


f-itunuat Asscrtior 




A8 assets, ecpjify revenie/e^ense tra^trtions, and budgetary' activity that should have been 

pecaded .have been reosrled 

Valliato' 

buc^etsy activity are included. in.the.frh^cM 
^-sts^T»^:at^rcpn^^«iK«nls^aty.i^KngvsA]eix«^or'aloc^n'ad)ir$tmente dre appropriately recorded . 

Presentation and Disclosure 

Fmancial infwir^ion is ^^Nv^ri^^ixesented and (fescrfced and disclosures are clearly expiessed. .Ail financial 
sd otfief inibnnabcx! B diaiKed 


Figure 8: Definitions of financial statement assertions. 


Mapping control objectives to control 
actitaties and theit to financial, 
reporting asseitioirs are the first steps 
in determining wliicli internal control 
activities are key control activities. 
“Non-key” control activities, wliile useful, 
may not provide an essential degree of 
assurance on the effectiv?e mitigation 
of the sigmficaiit risits impacting a 
key business proce.ss. Some common 
examples of key control categories 
include: 

Segregation of Duties - Segregation 
of duties is effective when the 
responsibilities for a finandai process are 
separated between various indhiduak 
witltin an organization. Tlte sante 


indivklual should ocA be authorized 
to approve an aaxnmts receivable 
transaction, enterk into the system, and 
tlien bear responsibility for r«»uciliug the 
transactions. Proper segreg^ion of dudes 
will prevent iralividuais from being able to 
misappropilaie assets. 

Authorizing Procedures — An 
authorization cMntrol is effective wlien 
more tlran one person is responsible for 
atitliorizing a deckaon or a«iou cliat 
can impact the <»ganization’s assets or 
financial statements. Ontlw other Itand, 
an excessiw number of transaction 
afqjrovers may indicate an uieffident 
control. For example, a supervisor review 
and approval may be rec|uired ov'er 
recojidliarions petformed. 


In addition to these key control categories, 
key controls themselves relate to the 
irqjut, proce.ssing and output activities 
tiiat help an organization acliiev'e the 
finandal statement assertions I'epresented 
ink’igureS above. In representing tliat 
tlieii' financial statements are fairly 
presented in conformity with generally 
accepted accoimting procedures, 
Organization management implidtly or 
explicitly maltes assertions regaitling the 
recognition, measureinent, presentation, 
and disdosure. In essence, Organizations 
make tire following specific assertions 
regarding their financial statements as 
represented in Figure 8 table above. 


12 DoO AiicSi'S R*;);wr!w,>i?s Esaenttels 





75 


Accoiriuig to tile FIAR Giudance and 
Genei'aliv Accepted Go\'e mnient Auditing 
Standards iGAgAS). anoirgamzatjoiis 
management is responsible tor tne 
internal controls over their financial 
infonnation and, therefore, must eiisme 
tliat they understand wliicli financially 
significant actiidties aie outsoiuced to 
service proi'idei's. Additionally, GAGAS 
detei-s to the American Institute of 
Certified Public Accomitaiits (AICPA) 
Statement oii Standaids for Attestation 
Engagements (SSAE) Number 16 as the 
authoritative staiidaixl for the audit of 
a sendee organization. Accoidingly, the 
organization’s management is ulcimatefy 
responsible for the effective ness of the 
service proiddet s’ controls over those 
activities that impact the organization’s 
financial repoiting. As an organization 
commences its audit readiness efforts, 
it needs to identify’ actiitties being 
performed on its behalf by service 
providers. In these cases, an SSAE 16 
report should be obtained wlren available 
to reduce the organization’s audit 


readiness work owr service provider 
activities. Ba^d upon our esperient», 

OIK best practice is for tiie organization 
and the service provided to identify tlie 
key controls that will be included in an 
ulumate SSAE 16 report aiKl ass^ rol^ 
and responsihilities at that granular lev'el. 
This significantly redures the cost of an 
SSAE 16 er^agement, because it gives all 
parties ravolred a dear expedation of the 
audit scope. 

In evaluating whetl^ an SSAE 16 report 
provides suf&ient evidence about the 
efiectiveness of internal controls at tlie 
service or^n^tion, oiganizations 
sliould consider the following fectors: 

• Tlie time perkidcxjvered by die tests of 
controis and ks relation to the period 
midei evaluation hy management. 
Alteniativefy, the date of management’s 
assertion over the asse^able unit luider 
evaluation should be conadered; 

* The scope oftlte SSAE 16 examination 
and applications covered, tiie controls 
tested, and the way in wliich te^ed 
controls relate to the organization’s 
controls; 


\Miether the report identifies controls 
over the seivice organization’s 
activities tliat support relevant 
financial statement assertions at the 
organization; 

Whether the r eport includes both an 
evaluation ofthe design of controls 
and tests of operating efiectiveness 
(i.e., a SSAE 16 Type il report); 

Tlie results ofthose tests of controls, 
as well as the service auditor’s opinion 
on tiie operating efiectiveness of the 
controls and whether each control 
objectivi'e was acliieved; 

Whether significant clianges that 
liave ocemred at the service provider 
between the SSAE 16 report date and 
the organization assertion date have 
been identified and addressed; 

The impact tliat tiie results of tests 
of conti'ol iiav?e on the assessment of 
internal controls by the organization; 
and 

The service auditor’s professional 
reputation and competency. 


An insider's Answers to Your Sdo.sl Commonly .AsivocKStiostions :! 



76 








'ucJrt RMiinos-t Fs-»r- *i-‘-. 


F/gure 9: Organizations should implement, identify, document, and a 
internal controls over financial reporting. 


As part of their avidit readiness efforts, 
organizations should implement, identify, 
document, and assess their internal 
controls over financial reporting as shown 
in Figwc 9- Consistent with the FIAR 
Guidance, the following stei>s should be 
taken to acroraplish this goal: 
j fy yxmr Fmavicsal 

s'ts-i The first step is to identify 
your fijiancial procx»sses (including 
assessable units, sub-units, transactions, 
accounts, and related financial systems 
and dollar values associated with each 
financial prorass) , This selves as the 
foundation for the next steps in the 
pixx^ss, 

S't&’ip 2: Siisj'sitsfy >'<>ss.r Significant 

This task is aimed at 
identifying which of the financial 
processes (including assessable units, sub- 
units, transactions, accounts, and related 
financial systems, identified in. Step 1 
above) are significant to the organization’s 
finandal reporting, based on quantitative 
(dollar value) and qualitative (non- 
ftnanciaO considerations. In. order to 
determine mateiiality, organizations 
should review' the guidance protided 1:^ 
0MB Caravlar A-123 and tlie PCIE/GAO 
FAM. 

fiti'syi 3: l*repi;«.re Process «sB.t! 
Systx:sms :DcK':a.ifse.6t|:at:tO'Jt. Once 
significant processes have been identified, 
process and related system doamientation 
must be developed. Tlie process and 
system doaimentation should include 
information coveting the itiitiation, 
authorization, processing, recordingand 


reporting of the tiansartions associated 
with each significant procsffi. The 
documentation should also include rides 
associated with the signifiouit processes 
and related controls. Controls sliould be 
noted as swh to fadlitate the performance 
of the steps that follow. 

Step 4: Identify JUsks, ICsy Control 
Objectives and related K<^' 
Cfootrols. Based on the information 
gathered through the development of 
process and system doaimentation, the 
organization sliould develop control 
worksheets (sometimes referred to as a 
control matrix) that identify lisks, key 
conwol objectives and related financial 
statement assertions, as well as controls 
in place to mitigate the risks and address 
the objectives. This doainieiit will allow 
the organization to: 1) identify those risks 
that have not yet been mitigated by an 
exiting control, 2) identify and eliminate 
redundant controls, and 3) assess the 
design of connols. 

Step Assess the Design of 
Coutrols. The control worksheets may 
be used to facilitate the organizatioivs 
assessment of the design of contiols. Onfy 
appropriately designed controls should be 
tested for effectiveness. The assessment of 
the design of controb should focus on how' 
well the control addresses the key control 
objectives (KCOs) and relevant financial 
statement assertions, ApproiM iately 
designed controls that ^dress key connol 
objectives over significant processes are 
typically deemed key tontrois. Contiols 
that are not appropriately desi^ied should 


be noted as such and col l ective actions 
niusr be develo{>ed and ex«:uted. 

*....4,1 , 

ot Cofi?rx>ls. Oigamzations should 
establish a supportable approach to tests 
of controls. The approacli at a minimum 
should include the following steps: 

a. Identify the controls to be tested - Only 
test appropriate^’ design contiols. 

b. Avoid duplication of efforts with other 
similar activities - Coordinate with similar 
activities such as FFMIA, GPRA, IPRA, 
FISMAetc. 

c. Identify w’ho will jx^rform the testing 
- Engage persomiei who possess the 
necessary competence and objectivity. 

d. Develop and exetmte test plans - 
Formal tests plans should be developed 
to facilitate review and approval by 
interested parties. The execution of 
the tests plans should include the 
tonsideration of the natiue, extent 
(including sampling techniques), and 
timing of the testing. Testing should 
be stringent and extensive enough to 
allow for reliance by the organization’s 
management and sufficient to support 
management’s SSAE 16 assertion, Within 
the Federal government, the recognized 
assessment methodology is summarized in 
die GAO/President’s Council on Integrity 
and Efficiency (PCTE) Financial. Audit 
Manual (FAM) (Section 450) and GAO 
FISCAM. In addition, 0MB Circular A-123 
includes guidance on inter nal controls 
sample sizes based on the frequency of 
(ontrols, Organizations should move to 
adopt the testing methods outlined in 
these publications. 

e. Document test results - Doaimentation 
should include the identification of items 
tested and who performed the tests, test 
results, and the overall conclusion. 

Step 7! Smnimvri/i' 'hist vhHs; and 
Categerrsw Once the 

resting is complete, organizations must 
summarize and evaluate the results of the 
tests. In accoidance with 0MB Circular 
A-123, Organizations must categorize 
deficiencies as a Control Deficiency, 
Signifiarnt Deficiency’, or Mater ial 
Weakness. 

Step 82 .Peveloj* and fri(».p. 5 .ei!«e«st 

Cwrecti re Actk».Bs. For any material/' 
significant deficiencies noted during 
testing, organizations must design and 
implement corrective actions. 


14 DC'D rfS'>ac‘iv»ss Ssse-ntiahi 



Mem; 




why do I need 

’supporting 

documentation? 


What is “sufficient, 
appropriate” 
suppoiting 
-fjoeuraentation? 


* What documental 
do I need to siippc 
financtai statensei 


77 


Supporting DocMmMntmtion 


fntro4iictiott 

When oiganizations assert audit 
readiness, they are declaiing 
that their financial statements 
are prepared in accordance with 
Generally ^^xspted Acxx)unting 
Wndples (GAAP) ; a set of standards 
to lie^ ensure that financial 
et^ents are consfeteiuiy lecorded, 
araunulated, and reported in 
financial statements. Eter Statement 
ofAuditingaandard (SAS) No. 

103 / AU 326 Audit Evidence, 
“Management is responsible for 
the prepaiation of die finandai 
statements based on the accounting 
recoids of tlie entity.” Inotlier 
vwsrds, supporting dociunentation 
is comprised of electronic and 
haid-copy eddence tliat supports 
tlie amount, classification, 
summarizadon, and importing of an 
organization’s individual business 
events in its finandai statements. 
Why<f<i J ttecd Siy>pt>rtirig 
documefflxicioni’ 

Finandai statement auditors ai e 
required to obtain audit evidence in 
Older' to dr aw reasonable conclusions 
bv’ performing audit procedttres to: 

1. Test the operating efiectivenessof 
conirois in preventing or detecting 
mateiial misstatements at tlie 
relevant assertion level (audit 
procedures performed for tliis 
purpose ate refen-ed k> as tests of 
controls); and 

2. D«ect matei'ial misstatements at 
the relevant assertion level (audit 


pr ocedures performed for tlris purpose 
are referred to as substantive procediu'es 
and indude tests of details of dasses 
of transactions, account balances, 
and disclosui'es, as well as substantive 
analytical procedures). 

Auditors perfonning testing to “detect 
material misstatements” may select 
samples of transactions and records 
underlying the financial statements. For 
eadi Sfimple item, the reporting entity 
must provide supporting documentation 
for' the individual transactions to 
demonstrate tliat the finandai event was 
accurately recorded in tlie accounting/ 
subsidiary system, and ultimately in the 
financial statements. Tire organization 
must provide supporting documentation 
to the auditorto prove tlieie are no 
material misstatements in their finandai 
statements by showing tliat individual 
transactions and lialances are accurately 
recorded, accimnilated, and reported in 
the financial statements. 

What, ii’ appropriate'" 

supiKaringdoamumtudon? 
Organizations sliould consider: the 
auditor’s requirements. In otlier words, 
what is “good enoirgh for the auditor”? 
Auditors are required to review suffident, 
appi'opi-iate supporting documentation 
CO allow them to draw condusions on 
whether ai'iy material niisstaterneiits 
exist in an organization’s finarreia,! 
statements. Tire audit standards explain 
tliat sufficiency is the measure of tire 
quantity of supporting doemnentation. 
Appropriateness is the measrue of the 
quality of supporting doamientatioii; tliat 


78 


I Auditor RorfutroitK'iii 


j Supporting documentation is more reliable 
j it is obtained from knowledgeabts independent 
j sources outside the reporting eirtity; 


I Sifpoitingdocumentafronttiattegeiiff^ ,, 
i mlefnaiVismorereiiablev^entherefet^ , ,, 
i controls itifo^dby-ther^ortirigentSy are -'V’; 
p effective ,- : .■ ,/ fr" 

j Supporting dooumentetion obtained 
j direc% by the auditor is more reliabte than 
j supporting documentation obtained irydirecSy 


j When g^ha-ing st^jpatng documents fo- r-urtd 
j Stance wSi Treasury (FBwT)acMy,tt>8 auditor wit place 
j greater i^arree cw rqjwte d>t^ed fern the Treasury 
j Sian Of} wstem^genaatedr^xwts from the raganizafen’s 
j accoun&ig systo 

Requ^frrPei5W}ne{ftAw®:P?^^aB^6d«K{ 
^o^eiedroRe^nliiepKsonR^sy^marernQre • • 

pysOT}^sy^fh.g&^)»ate^efet^ge^---;--s'---., 

The aud^ wl gre^ reiance (Hi pa^ 

infr)rmgft)n ofetamed die<% fttim savice provi^ 
than on payroB inSyn^n iSjta^ed from the 
(which, m turn, have cAitemed Bie irftsna&s} frc^n a 

sft’wefs'fflnder)- 

deeds 

d«nx^reien^totedd^on|^K)lc!^)^.(^the r 


[iOriginal suppbrfing documentation is mad. 
[ reliable than documentation provided by ,, , ; 
j photocc^i^ orfacsiinifes. : , I , 


Figure 1 0: Key Indicators used by auditors to evaluate the safficierKy and 
appropriateness of supporting documentation. 


is, its relevance and reliability in pro^dding An auditor’s view on. the reliability of 
support for or detecting misstatements siippoitii:^ doainwntation is influenced 

in the classes of transactions, account by the sotvce and nature of the 

balances, disdosiues, and related doctunentatiion, and is dependent on the 

assertions. indhddual ciraiiustatices by which the 

supportir^ documentation is obtained. 


Figure. 10 shows the l<ey indicatois used 
by auditors to eval!.iate the sufficiency 
and appropriateness of sup\x>iting 
documentation. 

In siunmary, the auditor uses many 
factors when evaluating the sufficiency' 
and appropriateness of suppoitii:^ 
dociimentarion. Orvanizations should 
Iceep these factors m mind when 
performing then audit readiness work. 


Orgamzations must be certain they can 
support relevant htianaal statement 
as.seitions lor transactions and balances, 
along wdtli supporting dociuiientation. 
Specifically, they must identify the 
documents they will use to support 
each material transaction type and 
balance. A simple method to eitsure that 
relevant assertions are addressed is to 
prepare a Suppoiting Docmnentation 
Matiix. Figure 11 is an example of a 
Suppoiting Documentation M^rix for 
tlie Appropriations Received line of the 
Statement of Budgetaiy Resoiu'ces. 


Ueltem 

K<>u <iLinnAHilwi}teamttnf« *- 


■ 


ii 




H 


B 


Appropriations i , Apportionment and Respportiaiment Schedule (SF 132) 

Received 

2vRepoflortBixlgetExecutionandBu(^et^Resounss(SF1^ 

3. Year-End Closing Statement {FMS 2108) 

4 lYtalbaiatK^byfuridcode'fTheia^accbinQcoiTespondngtoeachJ^iproF^^ 

5, Funding Authorizatfon Documents {FW)s) a^porfing dqcadmentai atlofrnenfe 


X 


Figure 1 1: Example Supporting Documentation Matrix. 


(bon Auifit Rwitdiiwcs Fssontlals 




79 



Figure 12: Consistent with the FIAR Guidance. Orgaru:^tiom should evaluate their sup- 
porting documentation following the FIAR methodology. 


Underetaiidmg the auditor’s 
requirements sunounding supporting 
docunieiitalion vi/ill allow organizations 
to imdeistand the “bai'” tliat they need 
to clear to Ijecome auditable. With that 
lujdei'standing in mind, or'ganizations 
should fbUow a series of repeatable steps 
for material assessable tuiits/financial 
statement line-items. Comistent with the 
FIAR Guidance, Oi'gatiizatioas sliould 
evaluate their supixnting docmnentation 
following the FIAR methodology shown 
iiiFigiire 12. These steps include: 

1: DefHse ajnd 

recottcile it to t'.he gexreritl lerlgeA'. 
For each material financial statement 
line- item, the organizations must extract 
a population of transaction-lev’el activity 
and reconcile tlrat population to their 
geneml ledger , If no trial balance is 
available from the general ledger, an 
equivalent report (e.g., DFAS 218 Report) 
should lie used to demonstrate tliat the 
population contains transactions tliat 
acamiulate to amoimts reported in the 
■financial statements. Any differences 
between the population and tlie 
general ledger must be identified and 
appropriately resolved. 


Step 2: .Define Key Sappcirting 
Documents (KS.Ds) and docjsment 
reJsntion After 

piepaiing tlie popuktiou, organizations 
sliould uientiiy the documentation 
needed by transaction type to support the 
relevant financial statement assertions. 
TWs can be accomplished using a 
Supportuig Doaunentation Matiix to 
visually denKuistrate liow assertbns 
are addressed. After relevant KSDs are 
identified, organizationsshould confirm 
that their existing dociuiient retention 
policies aie sufficient, reqiuring field 
locations to retain KSDs for a sufficient 
period of time to support current balances 
and transactions intheii' financial 
statements. 

Step S'. Develop tests of suppotting 
documentation^ Organizations should 
then develop a test for the existence 
of supporting documentation and the 
organization's ability to retfiew such 
documentation in a timely manner. This 
includes designing a representative 
san^le of the population, defining wliat 
specific dociunentation will be requiied 
for each type of sample item, and 


suimnarizing the comparison procedures 
tliar will lie performed between each 
sample item and the dociunentation 
supporting the sample item (to verify the 
acauacy/classification of the transaction 
as recorded in tlie system) . 

i» a v' the te<;i has 

lieeii developed, the orgamzation must 
execute the test, select the sample items, 
and complete testing on sample items in 
the jxipulation. Any instances in wiiich 
doaunentation could not be located or 
the recorded sample items did not agree 
vvith supporting doa unentation should be 
noted forevaluation. 

A; ‘ .>rri. 

ctiiegiu ic-.' ihdW’t'i u 'v Once 
tlie testuig IS complete, organizations 
must evaluate the results of the tests. 
Exceptions should be sununarized by type 
and evaluated. Ei iora caused by missing 
dociunentation and data input should be 
separately considered and examined for 
trends and root causes. For deficiencies 
that a.re greater than insignificant or 
isolated, organizations should proceed to 
Step 6. 

Step 6: Develop anil .imp.tteme.nt 

etJTrecijve For any material/ 

significant deficiencies no ted diuiiig 
testing, organizations must design 
and implemeiit corrective acrious. 

For instances in wliich origirral soiuce 
doaunentation caxmot be located, 
organizations must identify alteiriative 
dociunentation, and then perform 
tests to coirflnn tire exi,srence of the 
alternative documentation. For instances 
in which transactions atrd balances 
are not consistent with the supporting 
documentation, organizations should 
identify the root cause of tire error, nrake 
i^cessary process/control improvements 
to pi'event such errors in tlie future, aird 
review the airrent popuiatioii to ensure 
similar transactions in tire population are 
corrected. 


An irsider'3 Ansivefs to Your Most Commonly .Arikod Qi,.it}otii?ns 



80 



' Information Ted''. ■" 


liitradtictioii 

As reporting entities begin their 
audit it?adin^ efforts, they need 
to identify ffystems that shoidd be 
ev-ahiated for effective internal 
a>ntrols. Reporting entities should 
compile an intentoty of systems used 
in end-to-end piocesses to lecord, 
process, and report ttansactions. 
Additionafly, reporting entities 
sliotdd identify any ERPs, feeder 
sj'steins, and micro-applications 
used to a eate aitd store supporting 
documentatioji. Tliis informatiou is 
typically gathered dtuing interviews, 
ejKJ-to-end walktltrouglis of 
transactions, and inspections of 
available documents tliat describe 
tlie systems emiromnent. These 
documents could include, but me not 
limited to, system certificariotisajid 
accreditatioits, system seairity plans, 
interface agreements, andsj'stem 
inventories prepared to compfy with 
tlie Federal Infonnation Secmity 
Management Act of 2002 (FISMA). 


^ ; > V:i 

m my 

Once an invetitorv of systems has been 
compiled, a repoiting entity must ask 
tliree specific questions for eacli system in 
tlie inventory; 

1) Does the system |jerform a key 
automated control? Examples include 
user access to perform transactions, 
checking for data completeness/acciuacy, 
and matcliing of invoices to receiving 
doaunents. 

2) Ai'e key manual coiitiols dependent 
on reports or data generated fiom the 
system? Examples include reports used to 
perfonn physical inventories, exception/ 
error reports of rejected transactions, 
and reports or data sets used to peiform 
reconciliations. 

3) Ate Key Suppojting Doctunents (KSDs) 
created/ietained in tlie sj^tem? Examples 
include electronic time-slieets, receiving 
reports, and piuchase ordera. 


81 


If a. fe|X).it.iiig entity answers yes to one 
or more of these questions, the system 
sliould be scoped into a leporting entity’s 
audit leadiness effoits. 

It is inipoitant to remember that these 
systems tnay be financial systems, mixed 
systems, or potentially non-financial 
systems (e.g., pei'somiel, equipment 
maintenance, etc.)- ilte appropriate 
scoping iiVout of systems in audit 
readiness effoits will iielp ensure that 
appropriate resomres ate effectively 
utilized imd time is iiot wasted leviewing 
systems that are not key. Resoiu'ces 
should be focused on systems tliat need to 
be scoped into audit readiness effoits. 

'hjceth'es tieed to be 

Once an organization has establislied 
winch -svstems are in-scope for internal 
controls over financial reixnting and 
audit readiness, reporting entities need to 
detemiine wliich IT controls to evaluate. 
There are two basic levels of IT controls: 
Application Controls; Tliese are controls 
that are specific to indhtdiial transaction 
processes witliin a system. An example 
of an Application Control is a sj'stem tliat 
requites a “Travel Order Approter” role 
in order for a tiavel order to be approved 
and processed in a system. Tliis is refened 
to as an application control because it is 
specific to the travel system application 
and does not relate to approviirg 
timesheets in the time and attendance 


syaem. Application controls are grouped 
into the following categories which ran 
affed the reliability of financial data: 

• Business ftot^s Controls 

• interface Controls 

• Datdiase Management System Controls 

• Application-Le^ Geiteral Controls 
IT General Controls: These are controls 
that relate to tlte ov'erall functionir^ of 
an individual application or a group of 
applications. Forejmupie, the program 
configuration n^n^ement (software 
cliange control) process for an iiHlh'idual 
app^cation has tte p»tential to impiact 
automated <»ntiol features buflt into the 
system. Tlte configuration matragement 
prxxess for a computer sj^em ttet serves 
as the platform for multipte applications 
lias the piotential to a^ct the iittegiity of 
applications that nm on that platform. 

IT geneitrl controls are grouped into the 
follow'ing rategories which ran affect the 
1 elialnlity of finandal data: 

• Security' Management 

• Aoress Controls 

• Segregation of Duties 

• Configiuation Management 

• Contin^ncy Planning 

Tire GAO Federal Infonuatbn System 
Controls Audit Mamral (FISCAM) is 
the primary authoritative source for 
evaluating IT controk diuing a financial 
statement audit. It provides details 
regarding relevant contiol objectives, 


Art Insider's Answers 


control activities, and control tedmiques. 
Tire IT control aioas docmnented in 
FISCAM are also consistent with the CFO 
Coimcil’s implementation guide for 0MB 
CirailarA-123 (Ap^iendix A). 


In short, theansv'eris. it depends. While 
tlie areas and requirements addiossed 
Ity certification, accreditation, and other 
compliance assessment work completed 
Ity’ the organization may align with certain 
FISCAM control objectives, activities, 
and tedmiques, the controls design 
documentation, testing piocediues, and 
testing results are typically not pr epar ed 
in a manner tlrat addresses 0MB Ciiculm' 
A- 123 (Appiendix A) and Finandal 
Improv'ement and Audit Readiness 
(FIAR) requirements. If yom certification, 
accreditation, and compliance assessment 
effoits result in Yes/No or Compliant/ 
Not-Compliant documentation and test 
results, you will realize v'eiy limited re-use 
for audit readiness preparations. 

Wlieu planning your next certification and 
accreditation or compliance assessment 
effort, it is best to indude controls 
doauneiitalion and testing requirements 
tlrat meet audit readiness requrtements. 
Tlrrs will irraease the auditor’s ability to 
reuse tire resulting work products. 


Your Most CoiriiTK^nlyA-ikt'd QuHStioR!;; :19 




Figure 13: When controls are performed by an information s^tem the system is in 
scope for audit readiness. 


A few key steps that must be completed; 
Step 1 : i:de.n'6fy a teaiw tx.wsiprtsed 
of wito fM.>sse.ss 

ap;P'rojt':r.l«si:«i! siiysten5.,<» 
k'SMJwledgsis aj?d cxpei'ietM'*;. As 
disatssed iii the Audit Peadiness Human 
Capital section of this document, it is 
critical for the audit readiness team 
to incorporate personnel who possess 
Federal financial statemeiit audit 
expeiience. Spedficallj-', tlie team 
shotild include specialized information 
teclmology auditors who liave experience 
applying the GAO FISCAM to financial 
statement audits. Fiuthennore, it may 
be necessary to identify IT auditots who 
possess specialized application (e.g., 

ERP) and/oiTiaidwaie platform (e.g., 
client server or maiiiftame) teclinical 
experience. 

Step 2.1 Idesdify 'whicli sysltiins 
isnpaet mtanml. cotniTofe ove:r 
fi-nancial reportkig. As noted in 
the Internal Controls section of tliis 
doaunent, tlie audit readiness teatn 
sliould identify the organization’s 
significant financial processes and 
related rislts, KCOs, and key controls. In 
those instances where the controb are 
perfonned by an information system 
or are dependent on r epor ts and data 
produced l5>' an inforination system, the 


system is in scope for audit readiness, as 
sliown in Figure 13. Qose collaboration 
betvreen the infoimation ta;hnology audit 
specialists and otter ineiribeis of the audit 
readiness team is essential to correctfy 
address tliis key scoping question . 

S^p 3; Establish the c«>nitrol 
objectives against which the 
^istesn appiksation and gene?^ 
cont3:^s will bo evaluated. As the 
GAO FISCAM was developed for multiple 
types of infoimation system audits 
(financial and non-finandai), only a 
subset of the FISCAM control teclmiques 
is typically relevant for audits of Federal 
finaiK;ia] statements. Input from 
infoniiation technology audit specialists 
who liave experience appljing the 
FISCAM on Fedend financial statement 
audits slK)uld te considered in tliis 
decision-making process. 

Step 4: Determine which 
ot^anizationCs) are tespcmaible 
fi>r perfimniiig relevant syst&ms’ 
related jfimctions. After determining 
wliich information systems and FISCAM 
control techiuques are in scope, it is 
necessary to identify tlie oiganizationfs) 
tliat liave l espondbilit}' for relevant 
aspects of infoiination systems 
management. Tliis may include one or 
more external service providers or tiiird- 


patty service orgatiizafions. In the DoD 
envii'Oiiment it is not uncom mon for the 
user organization to rely on one semce 
provider for application development/ 
maintenance (e.g., DFAS, BTA, CPMS) 
and another for data center operation and 
application hosting (e.g., DISA). Tlie.se 
entities may be responsible for perfonning 
relevant internal controb and/or 
retaining Key Supporting Documentation 
(KSD). 

test ,.->t s,o.'.va\ .'r ’■ 

OjKH tn .V » * Ons ' 'O 
‘•Si s ConsistLiit 
with the Internal Conti ols section of 
this docimient. the audit readiness team 
would gather the information needed to 
determine the procedures in place to meet 
the FISCAM techniques for each iii-scope 
system. Tlte identified controb for each 
FISCAM teclmique would te documented 
in a summaiy format and evaluated 
to deteraiine whether the applicable 
FISCAM teclmiques, activities, and 
objectives ate adequately addressed. Tliis 
b typically referred to as a test of design 
effectiveness and should be completed 
before more rigorous and time-consuming 
tests of operating effectiveness are 
performed. Fo r those controb upon wliich 
reliance is being placed and are effectively 
designed, tests of operating effectiveness 
are performed. Ttese typically involve 
selecting samples and te, sting die actt.ial 
perfonnance of the controls over a period 
of time (usually six montlis to one year). 
After completing the tests of design and 
operating effectiveness, management 
sliould evaluate the results, mal<e a 
determination on the reliability of the 
infonnatiou systems controb and their 
impact on audit readiness, and implement 
corrective actions as necessaiy. 

If management lias any questions 
regaiding the results from each 
phase, input should be obtained fiom 
appropriate knowledgeable sources liefore 
moving on to tlie next step. Following 
tliis approach VitII help management 
avoid bsues involving scoping, adequacy 
of dociunentation, appropriatene,ss of 
conclusions, and preventable re-work. 


83 


la conclitsioa, the CFO Act and GMRA 
reqitli^; Federal Executive Agencies to 
prepare financial statements and have 
them audited by independent auditors. 
More recently, the Defense Authojization 
Act also required that the DoD and other 
Dei>atTments detnoiostrate audit readiness 
progress and be prepared to sustain a 
foil scope financial statement audit by FY 
2017. Tliese lequiiements can be met if 
the DoD Organkatioiis apply the audit 
readiness principles addressed in tliis 
guide as shown in Figure 14. 
Organizational f.,ea4ie:ii's:h.ip StrpjJOtt 
is critical to create a synergistic cultiue- 
tliat influences the organization to 
work together to acliieve success. Audit 
readiness success is dependent on more 
tlian just financial management support, 
it requires leaderslnp sttpport from 
acrass the organization to eitsure that 
infoniiatioii systems, business processes, 
internal controls, logistics, and supporting 
doainientation are. all working together 
to properly recoiri busine.ss events in the 
financial statements. 

Appropriate Audit Keadtaess FilmMan 

reqtures the right people with 
tire light skills, trainmg, education, and 
experience to identify audit readiness 
impediments and develop worltable 
solutions. Congress tmdei'stands rltis 
need and Itas written into the FY 2012 
Defense Authorization Act tliat the DoD 
must document audit r'eadiness skills and 
education. 

Effective 

demonstrate an organizatiorvs ability to 
assert tlrat its financial stateitrents are 
faiiiy stated iir accordarrce with Generally 
Accepted Accounting Principles (GAAP). 
■Ore scale of the oper'ations ofthe DoD 
and its organizations is so large that 




Auditable Financial Statements 


- ^ i 


!i; . < 




Figure 14: These Audit Readiness competencies can be met if the DoD Organizations 
apply the audit readiness principles addressed in this guide. 


it would be -prohibitive to audit 

tire Department’s financial stateuieiiK 
witliout relying on iirter rial controls. 
Therefore, internal controb procedui-es 
tliat are properly designed, implemented, 
and maintained are an esserrtial audit 
readiness con^tency that is necessary' to 
enable the DoD arrd similar organizations 
to achieve reliable financial reporting, 
effectK^ and efficient operations, and full 
compliance wtli laws and regulations 
necessary to sustain a full-scope ftirandal 
rtaternent audit. 

Adequate Supposting 
.Oocmitestt^tfo-n uuist be produced 
to allow auditors to form conclusions 
on tire fair presentation of tire fiirencial 
statements. Government auditing 
standards require that auditors obtain 
sufficient and appr opriate supporting 
documentation m form conclusions 
to support tlreir audfi opinion. Thb 
supporting doauirent^oo, wWch may 


be conrpj'ised of electronic and hard- 
copy evidence, will be used to .sujjport 
each financial statement assertion and 
support tlie amouirt, classification, 
summaiization, and reporting of 
individual busirress events. 

Reliable ’.r«;«;!s:sK.>h:sgy 

controb witlrin and smiounding 
orgairizational systenrs improve the 
ability of management and avrditors to 
rely on electronic data used to prepaio 
tire financial statements. Organizatioirs 
mxrst include relevant ERFs, feeder 
systems, and rniao-applications in 
tlreir audit readiness jjlans to ensiue 
that data processed by or obtained 
fioni irrfonnation systems can be relied 
upon for lx)th audit and operational 
ptuposes. Strong information teclmology 
controls lead to greater efficiencies and 
cost savings in cirrrent and future audit 
readiness efforts and will reduce the cost 
of future financial statement audits. 


.4fi Snsldar's A.nswsrs to Your Mo&r Ccrr’iTjoiify Oi.iestiona 21 


pwc 


If you have any questions regarding 
this guide or audit I'eadiness 
activities, please contact one of the 
following individualsi 


National Sectuity Piacdce 
(703) 9l8-m0 
iiiaris-j.keeleyiffiiis.pT.'i.T.com 


Roiiie Quiou 

Principal 

National Sectuity Piactk;e 

(703)9J.a-ri.50 

i'oliie.qu!i!!M©sis,pwc,com 



